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preface 


The telegraph, telephone, radio, and especially the 
computer have put everyone on the globe within earshot— 
at the price of our privacy. It may feel like we’re performing 
an intimate act when, sequestered in our rooms and 
cubicles, we casually use our cell phones and computers to 
transmit our thoughts, confidences, business plans, and 
even our money. But clever eavesdroppers, and sometimes 
even not-so-clever ones, can hear it all. We think we’re 
whispering, but we’re really broadcasting. 


A potential antidote exists: cryptography, the use of secret 
codes and ciphers to scramble information so that it’s 
worthless to anyone but the intended recipients. And it’s 
through the magic of cryptography that many 
communications conventions of the real world—such as 
signatures, contracts, receipts, and even poker games—will 


find their way to the ubiquitous electronic commons. But as 
recently as the early 1970s, a deafening silence prevailed 
over this amazing technology. Governments, particularly 
that of the United States, managed to stifle open discussion 
on any aspect of the subject that ventured beyond 
schoolboy science. Anyone who pursued the fundamental 
issues about crypto, or, worse, attempted to create new 
codes or crack old ones, was doomed to a solitary quest that 
typically led to closed doors, suddenly terminated phone 
connections, or even subtle warnings to think about 
something else. 


The crypto embargo had a sound rationale: the very 
essence of cryptography is obscurity, and the exposure that 
comes from the dimmest ray of sunlight illuminating the 
working of a government cipher could result in catastrophic 
damage. An outsider who knew how our encryption worked 
could make his or her own codes; a foe who learned what 
codes we could break would shun those codes thereafter. 


But what if governments were not the only potential 
beneficiaries of cryptography? What if the people 
themselves needed it, to protect their communications and 
personal data from any and all intruders, including the 
government itself? Isn’t everybody entitled to privacy? 
Doesn’t the advent of computer communications mean that 
everyone should have access to the sophisticated tools that 
allow the exchange of words with lawyers and lovers, 
coworkers and customers, physicians and priests with the 
same confidence granted face-to-face conversations behind 
closed doors? 


This book tells the story of the people who asked those 
questions and created a revolution in the field that is 
destined to change all our lives. It is also the story of those 
who did their best to make the questions go away. The 


former were nobodies: computer hackers, academics, and 
policy wonks. The latter were the most powerful people in 
the world: spies, and generals, and presidents. Guess who 
won. 


the loner 


Mary Fischer loathed Whitfield Diffie on sight. He was a 
type she knew all too well, an MIT brainiac whose 
arrogance was a smoke screen for a massive personality 
disorder. The year of the meeting was 1969; the location a 
hardware store near Central Square in Cambridge, 
Massachusetts. Over his shoulder he carried a length of 
wire apparently destined for service as caging material for 
some sort of pet. This was a typical purchase for Diffie, 
whose exotic animal collection included a nine-foot python, 
a skunk, and a rare genetta genetta, a furry mongooselike 
creature whose gland secretions commonly evoked severe 
allergic reactions in people. It lived on a diet of live rats and 
at unpredictable moments would nip startled human 
admirers with needlelike fangs. An owner of such a 
creature would normally be of interest to Mary Fischer, an 
animal lover who at that very moment had a squirrel in her 


pocket. At home she also had a skunk as well as two dogs, a 
fox, a white-wing trumpeter bird, and two South American 
kinkajous. Diffie saw that she was buying some cage clips 
and abruptly focused his attention on her. 


In future years, Whit Diffie would be known— 
extraordinarily well known—as the codiscoverer of public 
key cryptography, an iconographic figure with his shoulder- 
length blond hair, Buffalo Bill beard, and his bespoke suits 
cut by London tailors. But back in those days he was a wiry, 
crew-cut youth with “the angriest face I’d ever seen,” 
Fischer says, and he immediately began peppering Mary 
Fischer with questions. You keep exotic animals? Then 
you'll need this, and this, and this. He took things out of her 
hands and put other things in as he lectured. His rudeness 
appalled Mary. But she hadn’t yet cracked his code. 


Mary Fischer didn’t know that Diffie was spending 
prodigious amounts of time thinking about problems in 
computer security and their mathematical implications. She 
had no idea that he was casting about for a new way to 
preserve secrets. All she knew was that Whit Diffie was 
unappetizing and he loved animals. But animals meant a lot 
to her, and soon Diffie and his girlfriend began visiting Mary 
and her husband, sometimes accompanied by their 
creatures. The skunks got along, some ferrets were 
exchanged, and Diffie’s visits to her home became routine. 


Mary began to reconsider her initial repulsion to Diffie. 
But, in his failure to decode her, he seemed generally 
oblivious to her. On his visits he interacted only with the 
man of the house. After Mary and her husband moved to 
New Jersey, where he started veterinary school, she would 
sometimes pick up the ringing phone and hear Diffie’s 
cuttingly precise voice brusquely ask for her spouse, as if 
she were an answering service. One day she made her 


feelings plain. “Look,” she said, “I understand I’m not as 

bright as you and some of your friends, and I understand 
your friendship is primarily with my husband. But I don’t 
really think it would kill you to say hello.” 


The message got through. Diffie’s demeanor toward Mary 
dramatically improved, and she was not just startled but 
saddened when one day in 1971 he told her that he was 
going to travel for a while. Mary didn’t know yet that Whit 
Diffie was preparing himself for a solitary—and romantic— 
quest, looking for answers to questions that the United 
States government didn’t want asked. The odds against his 
success were astronomical, because he was confronting a 
near complete blockade of relevant information on a subject 
that, on its most sophisticated levels, was almost 
unspeakably obscure. What were the odds against such an 
unheralded outsider’s transforming an entire field with an 
original discovery that would redefine the ground rules for 
personal privacy in the computer era? 


The length of those odds would shorten with the role of 
Diffie’s courtship of Mary Fischer in overcoming them—and 
a scientific breakthrough would result that affects every 
citizen in the digital age. “The discovery of public key,” says 
Fischer, “was a romance.” 


Bailey Whitfield Diffie was born on the eve of D-Day, June 5, 
1944. His professor father had just completed a wartime 
sabbatical in government service. (Though he disliked 
Communists—more for their humorless single-mindedness 
than their ideology—Whit Diffie’s father was a passionate 
antifascist and often lectured against the repressive 
movement in Europe.) Both of Whit’s parents were 
educated people. Bailey Wallace Diffie taught Iberian 


history and culture at City College in New York. Diffie’s 
mother was the former Justine Louise Whitfield, a 
stockbroker’s daughter from Tennessee who met her 
husband while working in the foreign service in Spain. She 
was a writer and scholar who studied Madame de Sévigné, 
a figure in the court of Louis XIII and Louis XIV. 


Whit Diffie was always an independent sort. As one early 
friend remarked, “That kid had an alternative lifestyle at 
age five.” Diffie didn’t learn to read until he was ten years 
old. There was no question of disability; he simply preferred 
that his parents read to him, which seemingly they did, 
quite patiently. Apparently both parents understood that 
their son was extremely intelligent and obstinately 
contrarian, so they didn’t press him. Finally, in the fifth 
grade, Diffie spontaneously worked his way through a tome 
called The Space Cat, and immediately progressed to the 
Oz books. 


Later that year his teacher at PS. 178—“Her name was 
Mary Collins, and if she is still alive I’d like to find her,” 
Diffie would say decades later—spent an afternoon 
explaining something that would stick with him for a very 
long time: the basics of cryptography. Specifically, she 
described how one would go about solving something 
known as a substitution cipher. 


Diffie found cryptography a delightfully conspiratorial 
means of expression. Its users collaborate to keep secrets in 
a world of prying eyes. A sender attempts this by 
transforming a private message to an altered state, a sort of 
mystery language: encryption. Once the message is 
transformed into a cacophonous babble, potential 
eavesdroppers are foiled. Only those in possession of the 
rules of transformation can restore the disorder back to the 
harmony of the message as it was first inscribed: 


decryption. Those who don’t have that knowledge and try to 
decrypt messages without the secret “keys” are practicing 
“cryptanalysis.” 


A substitution cipher is one where someone creates 
ciphertext (the scrambled message) by switching the letters 
of the original message, or plaintext, with other letters 
according to a prearranged plan. The most basic of these 
has come to be known as the Caesar cipher, supposedly 
used by Julius Caesar himself. This system simply moved 
every character in the plaintext to the letter that occurs 
three notches later in the alphabet. (For instance, a Caesar 
cipher with its “key” of three would change A to D, B to E, 
and so on.) Slightly more challenging to an armchair 
cryptanalyst is a cryptosystem that matches every letter in 
the alphabet to one in a second, randomly rearranged 
alphabet. Newspaper pages often feature a daily 
“cryptogram” that encodes an aphorism or pithy quote in 
such a manner. These are by and large easy to crack 
because of the identifiable frequency of certain letters and 
the all-too-often predictable way they are distributed in 
words. 


Like countless other curious young boys before him, Whit 
Diffie was thrilled by the process. In his history of 
cryptography, The Codebreakers, author David Kahn 
probes the emotional lures of secret writing, citing Freud’s 
theory that the child’s impulse to learn is tied to the desire 
to view the forbidden. “If you’re a guy, you’re trying to look 
up women’s skirts,” says Kahn. “When you get down to it 
basically, that’s what it is, an urge to learn.” For many, the 
fascination of crypto also deals with the thrill that comes 
from cracking encoded messages. Every intercepted 
ciphertext is, in effect, an invitation to assume the role of 
eavesdropper, intruder, voyeur. In any case, it wasn’t the 
prospect of breaking codes that excited Whit Diffie but the 


more subtle pursuit of creating codes to protect 
information. “I never became a very good puzzle solver, and 
I never worked on solving codes very much then or later,” 
he now says. He would always prefer keeping secrets to 
violating the secrets of others. 


Diffie’s response to Miss Collins’s cryptography lesson 
was Characteristic. He ignored her homework assignment, 
but independently pursued the subject in his own 
methodical, relentless fashion. He was particularly 
interested in her off-the-cuff remark that there were more 
complicated ciphers, including a foolproof “U.S. Code.” He 
begged his father to check out all the books in the City 
College library that dealt with cryptography. Bailey Diffie 
promptly returned with an armload of books. Two of them 
were written for children; Diffie quickly devoured those. 
But then he got bogged down in Helen Forché Gaines’s 
Cryptanalysis, a rather sophisticated 1939 tome. 


Gaines offered a well-organized set of challenges that 
would provide hardworking amateurs an education in 
classical cryptographic systems. Many of these were 
refinements of advances made centuries ago, which in turn 
were more complicated variations of the earlier substitution 
ciphers. The best known were the polyalphabetic systems, 
first hatched in Vatican catacombs and later revealed in the 
early 1500s by a German monk named Johannes 
Trithemius. Published in 1518—two years after his death— 
Trithemius’s Polygraphia introduced the use of tables, or 
tableaux, wherein each line was a separate, reshuffled 
alphabet. When you encoded your message, you 
transformed the first character of the text using the 
alphabet on the first line of the tableau. For the second 
character of your message you'd repeat the process with 
the scrambled alphabet on the second line, and so on. 


On the heels of Trithemius came the innovations of a 
sixteenth-century French diplomat named Blaise de 
Vigenére. Here was a man who had penetrated the soul of 
crypto. “All things in the world constitute a cipher,” he once 
observed. “All nature is merely a cipher and a secret 
writing.” In the most famous of almost two dozen books he 
produced after his retirement from the diplomatic service, 
Vigenère produced devastating variations on previous 
polyalphabetic systems, adding complexity with a less 
predictable tableaux and “autokeys” that made use of the 
plaintext itself as a streaming key. The Vigenére system won 
a lasting reputation for security—it was known as le chiffre 
indéchiffrable—so much so that until almost the twentieth 
century, some armchair cryptographers believed that a 
certain streamlined version of the system was the sine qua 
non of cryptosystems. 


Actually, by the time Diffie encountered them, the 
cryptologic arts had progressed dramatically since 
Vigenere. Still, Diffie’s juvenile inquiries led him to think 
that Vigenére was the endpoint of the subject. Bored by the 
thought that cryptography was a problem already solved, 
he didn’t delve too deeply into Gaines’s book. His obsession 
with codes faded. At the time, he also felt that everybody 
was interested in codes, and, as a dogged contrarian, “this 
made it seem vulgar to me,” he later recalled. “Instead, I 
learned about ancient fortifications, military maps, 
camouflage, poison gas, and germ warfare.” He came to 
share his interests with a small group of teenage friends, 
and even considered pursuing a career in the armed forces, 
checking out the ROTC programs of universities he was 
interested in. But only one of Diffie’s militia-minded clique 
actually enlisted in one of the armed services—and died in 
Vietnam. 


Ultimately it was mathematics, not munitions, which 
dictated Diffie’s choice of college. Math offered one thing 
that history did not: a sense of absolute truth. “I think that 
one of the central dilemmas of Whit’s life has been to figure 
out what is really true,” explains Mary Fischer, who says 
that early in the boy’s life, Diffie’s father was called to 
school and told that his son was a genius. As Fischer tells it, 
Bailey Diffie’s reaction was to offer a ruse, in hopes that it 
would provoke discipline. He told Diffie that he wasn’t as 
bright as other boys, but if he worked harder than those 
favored with high intelligence and applied himself, he might 
be able to achieve something. “With some children that 
might have worked,” says Fischer, “but with Whit it was a 
bad tactic. It shook him for years, and I think it gave Whit a 
real hunger for what was ground-zero truth.” 


Though Diffie performed competently in school, he never 
did apply himself to the degree his father hoped. He was 
sometimes unruly in class; he worked best with material 
untainted by the stigma of having been assigned. Once a 
calculus teacher, fed up with Whit’s noise-making, 
remarked, “One day you'll be roasting marshmallows in 
here!” and sure enough, the next class Diffie brought a 
Sterno can to toast the marshmallows a friend smuggled 
into school. He failed to fulfill the requirements for a full 
academic diploma, settling for a minimal distinction known 
as a general diploma. Nor did he attend graduation; he left 
with his father on a European trip. (The great tragedy of 
Diffie’s high school years was the death of his mother; he 
still avoids talking about it.) Only stratospheric scores on 
standardized tests enabled him to enter the Massachusetts 
Institute of Technology in 1961. 


“T wasn’t a very good student there, either,” Diffie admits. 
He was, however, dazzled by the brainpower of the student 
body, a collection of incandescent outcasts, visionaries, and 


prodigies, some of whom could solve in a minute problems 
that would take Diffie a day to complete. Of these mental 
luminaries, Whitfield Diffie might have seemed the least 
likely to produce a world-changing breakthrough. But since 
his brilliant friends were human beings and not high- 
powered automata, their trajectories proved far from 
predictable. Some of the very brightest wound up cycling 
through esoteric computer simulations, or proselytizing 
smart drugs, or teaching Transcendental Meditation. 


Contemporaries from MIT recall Diffie vividly as a quirky 
teenager with blond hair sticking out from his head by two 
inches (“You wanted to take a lawn mower to it,” says a 
friend). He bounded through campus on tiptoe, a weird 
walk that became an unmistakable signature in motion. But 
he was noted for his deep understanding of numbers as 
well. 


He also took up computer programming—at first, Diffie 
now Says, to get out of the draft. “I thought of computers as 
very low class,” he says. “I thought of myself as a pure 
mathematician and was interested in partial differential 
equations and topology and things like that.” But by 1965, 
when Diffie graduated from MIT, the Vietnam War was 
raging and he found himself deeply disenchanted with the 
trappings of armed conflict. “I had become a peacenik,” he 
says. Not to mention a full-blown eccentric. He and his 
girlfriend lived in a small Cambridge apartment that 
eventually became packed with glass-walled tanks to hold 
their prodigious collection of exotic fauna. An aficionado of 
Chinese food, Diffie was also known for carrying around a 
pair of elegant chopsticks, much the way a serious billiard 
player totes his favorite cue. 


To avoid the draft, Diffie accepted a job at the Mitre 
Corporation, which, as a defense contractor, could shelter 


its young employees from military service. His work had no 
direct connection to the war effort: he worked under a 
mathematician named Roland Silver, teaming up with 
another colleague to write a software package called Math- 
lab, which later evolved into a well-known symbolic 
mathematical manipulation system called Macsyma. 
(Though few knew of the nature of his contribution, the 
nerd cognoscenti understood that Diffie’s work here 
involved a virtuosic mastery of arithmetic, numbers theory, 
and computer programming.) 


Best of all, Diffie’s team did not have to work at the Mitre 
offices but, in 1966, became a resident guest of the 
esteemed Marvin Minsky in the MIT artificial intelligence 
lab. During the three years he worked there, Diffie became 
part of this storied experiment in making machines smart, 
in pushing the frontiers of computer programming and in 
establishing an information-sharing ethos as the ground 
zero of computer culture. One aspect of this hacker- 
oriented society would turn out to be particularly relevant 
to the direction that Diffie’s interests were heading. Just as 
some words in various languages have no meaning to 
drastically different civilizations (why would a tropical 
society need to speak of “snow”?), the AI lab had no 
technological equivalent for a term like “proprietary.” 
Information was assumed to be as accessible as the air 
itself. As a consequence, there were no software locks on 
the operating system written by the MIT wizards. 


Unlike his peers, however, Diffie believed that technology 
should offer a sense of privacy. And unlike some of his 
hacker colleagues, whose greatest kick came from playing 
in forbidden computer playgrounds, Diffie was drawn to 
questions of what software could be written to ensure that 
someone’s files could not be accessed by intruders. To be 
sure, he participated in the literal safecracking that was a 


standard hobby in the AI lab: a favorite hacker pastime 
involved discovering new ways of opening government- 
approved secure safes. But Diffie got more of a kick from 
the protection of a strongly built safe than the rush of 
breaking a poorly designed system of locks and tumblers. 
He liked to keep his things in high-security filing cabinets 
and military safes. 


In the information age, however, the ultimate information 
stronghold resides in software, not hardware: virtual safes 
protecting precious data. Information, after all, represents 
the treasure of the modern age, as valuable as all the 
doubloons and bangles of previous eras. The field charged 
with this responsibility back then was computer security, 
then in a nascent stage. Not many people bothered to 
discuss its philosophical underpinnings. But Diffie would 
often engage his boss in conversations on security. 
Inevitably, cryptography entered into their discussions. 


Silver had some knowledge in the field, and the elder man 
opened Diffie’s eyes to things unimaginable in his fifth- 
grade independent study. One day the pair sat in the 
cafeteria at Tech Square, the boxy nine-story building 
whose upper levels housed the AI lab, and Silver carefully 
explained to Diffie how modern cryptosystems worked. 


Naturally, they depended on machinery. The machines 
that did the work—whether electromechanical devices like 
the Enigma cipher machines used by the Germans in World 
War II, or a contemporary computer-driven system— 
scrambled messages and documents by applying a unique 
recipe that would change the message, character by 
character. (The recipe for those transformations would be a 
set of complicated mathematical formulas or algorithms.) 
Only someone who had an identical machine or software 
program could reverse the process and divine the plaintext, 


with use of the special numerical key that had helped 
encrypt it. 


In the case of the Enigma machines, that key involved 
“settings,” the positions of the various code wheels that 
determined how each letter would be changed. Each day 
the encrypters would reset the wheels in a different way; 
those receiving the message would already have been 
informed of what those settings should be on that given day. 
That’s why the Allied coup of recovering live Enigma 
machines—the key intelligence breakthrough of World War 
II—was only part of the elaborate codebreaking process 
that took place at Bletchley Park in England. The 
cryptanalysts also had to learn the process by which the 
Axis foes made their settings; then they could conduct what 
was known as a “brute force” attack that required going 
through all the possible combinations of settings. This could 
be efficiently done only by creating machines that were the 
forerunners of modern computers. 


With computers, the equivalent of Enigma settings would 
become a digital key, a long string of numbers that would 
help determine how the system would transform the 
original message. Of course, the intended recipient of the 
message had to have not only the same computer program, 
but also that same key. But both mechanical and digital 
systems had two components: a so-called black box with the 
rules of transformation and a key that you’d feed into the 
black box along with your everyday message in plain 
English. Such was the background for what Silver talked 
about to Diffie that day—but not being privy to government 
secrets, he actually knew few of the details. He was able to 
explain, however, how computer cryptosystems generated a 
series of digits that represented a keystream, and how that 
would be “xor-ed” with the plaintext stream to geta 
ciphertext. (As any computer scientist knows, an xor 


operation involves pairing a digital bit with another bit, and 
generating a one or zero depending on whether they 
match.) If the key is suitably unpredictable, your output 
would be the most imponderable string of gibberish 
imaginable, recoverable (one hoped) only by using that 
same key to reverse the process. 


Imponderable, of course, is a relative term, but those who 
devised cryptosystems had a standard to live up to: 
randomness. The idea was to create ciphertext that 
appeared to be as close to a random string of characters as 
possible. Otherwise, a smart, dedicated, and resourceful 
codebreaker could seize upon even the most subtle of 
patterns and eventually reconstruct the original message. A 
totally random stream could produce uncrackable code— 
this essentially represented the most secure form of 
encryption possible, the so-called one-time pad, a system 
that provided a truly randomly chosen substitute for every 
letter in the plaintext. One-time pads were the only 
cryptographic solution that was mathematically certain to 
be impervious to cryptanalysis. 


The problem with one-time pads, however, was that for 
every Character in the message, you needed a different 
number in the “key material” that originally transformed 
readable plaintext into jumbled ciphertext. In other words, 
a key for a one-time pad system had to be at least as long as 
the message and couldn’t be used more than once. The 
unwieldiness of the process made it difficult to implement in 
the field. Even serious attempts to deploy one-time pads 
were commonly undermined by those tempted to save time 
and energy by reusing a pad. 


His conversations with Silver excited Diffie. The subject of 
“pseudo-randomness” was clearly of importance to both the 
mathematical and real worlds, where security and privacy 


depended on the effectiveness of those codes. How close to 
randomness could we go? Obviously, there was a lot of work 
going on to discover the answer to that question—but the 
work was going on behind steep barriers erected and 
maintained by the government’s intelligence agencies. 


In fact, just about all the news about modern 
cryptography was behind that barrier. Everyone else had to 
rely on the same texts Whitfield Diffie had encountered in 
the fifth grade. And they didn’t talk about how one went 
about changing the orderly procession of ones and zeros in 
a computer message to a different set of totally inscrutable 
ones and zeros using state-of-the-art stuff like Fibonacci 
generators, shift registers, or nonlinear feedback logic. 
Diffie resented this. “A well-developed technology is being 
kept secret!” he thought. He began to stew over this 
injustice. One day, walking with Silver along Mass Avenue 
near the railroad tracks, he spilled his concerns. 
Cryptography is vital to human privacy! he railed. Maybe, 
he suggested, passionate researchers in the public sector 
should attempt to liberate the subject. “If we put our minds 
to it,” he told Silver, “we could rediscover a lot of that 
material.” That is, they could virtually declassify it. 


Silver was skeptical. “A lot of very smart people work at 
the NSA,” he said, referring to the National Security 
Agency, the U.S. government’s citadel of cryptography. After 
all, Silver explained, this organization had not only some of 
the best brains in the country, but billions of dollars in 
support. Its workers had years of experience and full access 
to recent cryptographic discoveries and techniques 
unknown to the hoi polloi—however intelligent—without 
high security clearances. The agency had supercomputers 
in its basement that made even MIT’s state-of-the-art 
mainframe computers look like pocket calculators. How 
could outsiders like Diffie and Silver hope to match that? 


Silver also told Diffie a story about his own NSA 
experience years earlier while writing a random number 
generator for the Digital Equipment Corporation’s PDP-1 
machine. He needed some information: his reasons were 
noncryptographic; he simply had a certain mathematical 
need, a polynomial number with some particular properties. 
He was sure that a friend of his at the NSA would know the 
answer instantly, and he put in a call. “Yes, I do know,” said 
the friend. What was it? After a very long silence, during 
which Silver assumed that the friend was asking 
permission, the NSA scientist returned to the phone. Silver 
heard, in a conspiratorial whisper, “x to the twenty-fifth, 
plus x to the seventh, plus one.” 


Diffie was outraged at this secretiveness. He’d heard 
about the NSA, of course, but hadn’t known that much 
about it. Just what was this organization, which acted as if it 
actually owned mathematical truths? 


Created by President Truman’s top-secret order in the fall 
of 1952, the National Security Agency was a multibillion- 
dollar organization that operated totally in the “black” 
region of government, where only those who could prove a 
“need to know” were entitled to knowledge. (It was not 
until five years after its founding that a government 
document even acknowledged its existence.) The NSA’s 
cryptographic mission is twofold: to maintain the security of 
government information and to gather foreign intelligence. 
The double-sided nature of its duty led the NSA to organize 
itself into two major divisions: Communications Security, or 
COMSEC, which tries to devise codes that cannot be 
broken, and Communications Intelligence, or COMINT, 
which collects and decodes information from around the 
world. (Since the latter function most often involves 


intercepting and interpreting electronic information, it is 
more broadly referred to as signals intelligence, or SIGINT) 
Over the years the NSA has established a vast network of 
listening devices and sensors to gather signals from even 
the most obscure reaches of the globe, an operation that 
expanded beyond the planetary atmosphere when the 
satellite era began in the 1960s. 


In the early 1970s, none of this was discussed publicly. 
Within the Beltway, people in the know jokingly referred to 
the organizational acronym as No Such Agency. Those very 
few members of Congress who had oversight responsibility 
for intelligence funding would learn what had to be 
conveyed only in shielded rooms, swept for listening 
devices. 


Access to the organization’s headquarters at Fort George 
Meade, Maryland, was, as one might imagine, severely 
limited. A triple-barbed-wired and electrified fence kept 
outsiders at bay. To work within the gates, of course, one 
had to survive a rigid vetting. 


“By joining NSA,” reads the introduction to a handbook 
presented to new hires, “you have been given an 
opportunity to participate in the activities of one of the most 
important intelligence organizations of the United States 
government. At the same time you have assumed a trust 
which carries with it a most important individual 
responsibility—the safeguarding of sensitive information 
vital to the security of our nation.” 


Since all the salient information about modern crypto was 
withheld from public view, outsiders could only guess at 
what happened in “The Fort.” The NSA undoubtedly 
operated the most sophisticated snooping operation in the 
world. It was universally assumed (though never admitted) 


that no foreign phone call, radio broadcast, or telegraph 
transmission was Safe from the agency’s global vacuum 
cleaner. Signals were sucked up and the content analyzed 
with multi-MIPS computers, combing the text for anything 
of value. (These suspicions were later confirmed with leaks 
of Project Echelon, the NSA’s ambitious program to monitor 
foreign communications.) Were the results worth the 
billions of dollars and the questionable morality of the effort 
itself? This was something known only to the very few 
government officials who received briefings on the fabled 
intercepts—and even they were dependent on the quality of 
information that came from the agency itself. 


What’s more, the NSA considered itself the sole 
repository of cryptographic information in the country—not 
just that used by the civilian government and all the armed 
forces, as the law dictated, but that used by the private 
sector as well. Ultimately, the triple-depth electrified and 
barbed-wire fence surrounding its headquarters was not 
only a physical barrier but a metaphor for the NSA’s near- 
fanatical drive to hide information about itself and its 
activities. In the United States of America, serious crypto 
existed only behind the Triple Fence. 


Every day the NSA pored over new ideas for 
cryptographic systems submitted by would-be innovators in 
the field. “Their ideas disappear into the black maw of the 
NSA, and may see service in American cryptography,” 
wrote David Kahn, “but security prevents the inventor from 
ever knowing this—and may enable the agency or its 
employees to utilize his ideas without compensation.” But 
even those who did not submit ideas were not free of the 
NSA‘s stranglehold. The agency monitored all patent 
requests concerning cryptography and had the legal power 
to classify any of those it deemed too powerful to fall into 
the public domain. 


As he learned more about the NSA, Whit Diffie came to 
feel a bit foolish that despite his having heard of the agency, 
the extent of its power had only belatedly dawned on him. 
Diffie had actually visited the Institute for Defense Analysis 
(IDA) at Princeton, a quasi-private outpost of the NSA, but 
he’d had only the vaguest idea about the organization’s 
mission at the time. Not that it would have helped him get 
information from those crypto illuminati. One may socialize 
and even exchange thoughts with those who had ventured 
behind the Triple Fence, but only as long as those thoughts 
did not involve the forbidden subject of cryptography. 


Cryptography, however, was exactly what Diffie wanted to 
talk about. He wanted to learn as much as he could, to have 
far-ranging conversations with the leaders in the field. Even 
the foot soldiers in the field would do. But he quickly 
became frustrated with those who would not, or could not, 
talk about it. 


For instance, Diffie quizzed an MIT colleague named Dan 
Edwards, who would join the NSA after graduating. “He 
was extremely unhelpful,” Diffie later reported, “failing to 
reveal things which were certainly not classified and which 
I later saw in the bibliography of his thesis.” And when a 
colleague at Mitre went to work at IDA, Diffie asked him if 
he could share anything about his work. After a tantalizing 
pause: no. 


Perhaps the idea of pursuing the forbidden was simply 
irresistible to a contrarian like Diffie. He kept thinking 
about crypto and the silent embargo against it. And the 
more he thought about the problem, the more he came to 
understand how deeply, deeply important the issue was. 
Especially in what he saw as the coming era of 
computational ubiquity. As more people used computers, 
wireless telephones, and other electronic devices, they 


would demand cryptography. Just as the invention of the 
telegraph upped the cryptographic ante by moving 
messages thousands of miles in the open, presenting a ripe 
opportunity for eavesdroppers of every stripe, the 
computer age would be moving billions of messages 
previously committed to paper into the realm of bits. 
Unencrypted, those bits were low-hanging fruit for 
snoopers. Could cryptography, that science kept 
intentionally opaque by the forces of government, help out? 
The answer was as Clear as plaintext. Of course it could! 


Right at MIT there was an excellent example of a need for 
a cryptographic solution to a big problem. The main 
computer system there was called Compatible Time 
Sharing System (CTSS). It was one of the first that used 
time-sharing, an arrangement by which several users could 
work on the machine simultaneously. Obviously, the use of a 
shared computer required some protocols to protect the 
privacy of each person’s information. CTSS performed this 
by assigning a password to each user; his or her files would 
be in the equivalent of a locked mini-storage space, and 
each password would be the equivalent of the key that 
unlocked the door to that area. Passwords were distributed 
and maintained by a human being, the system operator. 
This central authority figure in essence controlled the 
privacy of every user. Even if he or she were scrupulously 
honest about protecting the passwords, the very fact that 
they existed within a centralized system provided an 
opportunity for compromise. Outside authorities had a clear 
shot at that information: simply present the system 
operator with a subpoena. “That person would sell you out,” 
says Diffie, “because he had no interest in defying the order 
and going to jail to protect your data.” 


Diffie believed in what he called “a decentralized view of 
authority.” By creating the proper cryptographic tools, he 


felt, you could solve the problem—by transferring the data 
protection from a disinterested third party to the actual 
user, the one whose privacy was actually at risk. He 
fantasized about a company that would invent and 
implement such tools. He even had a name for this 
imaginary concern: Privacy Protection, Incorporated. 


But in Diffie’s fantasy, it was someone else who devised 
the solution, someone else who founded the company—not 
him. Though he was becoming absolutely sure that the 
problems of maintaining privacy in a non-crypto-protected 
world were insurmountable, he assumed that others would 
be better qualified, better motivated, more practically 
oriented than he to create the crypto to tackle such 
problems. So he tried to convince others to work on the 
solution. With little success. “None of the people I tried to 
get interested in the subject did anything,” he recalls. 


So Diffie kept working on his main interest, which lay ina 
mathematical problem called “proof of correctness.” But he 
kept researching what he could on crypto, though at this 
point his efforts were far from methodical. One day at the 
Cambridge Public Library, Diffie was browsing the recent 
acquisitions and came across The Broken Seal by Ladislas 
Farago, a book about the pre-Pearl Harbor codebreaking 
efforts. He read a bit of it right there, and he certainly 
thought it worth reading further. But he never did. (Worse, 
he came to confuse this book with another book published 
at that time, David Kahn’s The Codebreakers, which 
delayed his reading of the more important work.) 


Similarly, one day at Mitre, a colleague moving out of his 
office gave Diffie a 1949 paper by Claude Shannon. The 
legendary father of information theory had been teaching 
at MIT since 1956, but Diffie had never met him, a slight, 
introverted professor who lived a quiet family life, pursuing 


a variety of interests from reading science fiction to 
listening to jazz. (Presumably, by the time Shannon had 
reached his sixties, he had put aside the unicycle he had 
once mastered.) 


Shannon’s impact on cryptography was considerable. 
After receiving an MIT doctorate in 1940, he had worked 
for Bell Telephone Laboratories during the war, specializing 
in secrecy systems. The work was classified, of course, but 
in the late part of the decade the two key papers in 
Shannon’s wartime work found their way into the public 
domain. In 1948, Shannon’s seminal article on information, 
“Mathematical Theory of Communication,” ran in the Bell 
System Technical Journal, and subtly set the stage for the 
digital epoch. A year later, “Communication Theory of 
Secrecy Systems” appeared in the same journal. 


Both efforts were highly technical; those without 
advanced math degrees could barely venture a few 
paragraphs without being snared in a thicket of thorny 
equations and formulas. But Shannon had a sense of clarity 
that enabled him to send a clear signal through the noise of 
high-level math. In the latter paper, he clearly and concisely 
examined the basic cryptographic relationship from 
scratch, addressing the “general mathematical structure 
and properties of secrecy systems.” He even provided a 
diagram of the classic cryptanalytic situation, beginning 
with a box representing the original message. This was 
transformed by an “encipherer” with access to a “key 
source.” The message would move to the “decipherer,” 
who’d use the same key source to return the message to its 
original form. But there was another line branching out 
from the cryptogram. It led to the “enemy cryptanalyst,” 
who might be able to intercept the encrypted message. 
That third party was always to be assumed. The challenge 


was to make it impossible for that enemy to crack the 
cryptogram. 


The concepts of signal and noise loomed large in 
Shannon’s view of cryptology. He saw crypto as a high- 
stakes zero-sum game between secret keeper and foe, 
where a successful secret was a signal that could not be 
teased out of the apparent noise. In his sixty-page 
discussion of the matter, he masterfully clarified the 
dilemma of both encrypter and enemy. The gift of the 
Shannon paper was undoubtedly one of the most valuable 
that a prospective cryptographer like Diffie could hope for 
in the late 1960s. Diffie himself would later consider it the 
last worthwhile unclassified paper published for over 
twenty years. 


Too bad that Whit Diffie, still pursuing knowledge in a 
scattershot manner, waited several years before actually 
reading it. 


In 1969, Diffie finally left Mitre. His funding had run out, 
and now that he was approaching the draft cutoff age, he 
had the freedom to leave. He had never really liked 
Cambridge very much. In high school, Diffie had hung out 
with the left-liberal and even the red diaper set, and led a 
full social life, with folk-singing parties and lots of friendly 
girls. Though similar scenes undoubtedly existed in 
Cambridge, “I just didn’t find them,” Diffie now moans. But 
at the University of California at Berkeley, where he spent a 
summer after his freshman year, Diffie found a place among 
the left-leaning protest crowd. “I really believe in the 
radical viewpoint,” he says. “And I have always believed that 
one’s politics and the character of his particular work are 
inseparable.” 


So Diffie and his girlfriend moved west, and Diffie went to 
work at John McCarthy’s Stanford Artificial Intelligence 
Lab. Supposedly, he would continue working on proof of 
correctness and other mathematical problems that applied 
to computer science. But in conversations with McCarthy, 
Diffie was led into a deeper consideration of privacy 
concerns. A pioneer in time-sharing, McCarthy understood 
that soon computer terminals would find their way into the 
home. Inevitably, he believed, the nature of work itself 
would change, as the electronic office became something 
that moved out of the cloistered world of computer 
scientists and hackers and deep into the mainstream. This 
would open up not only a thicket of security problems, but 
also a host of novel challenges that almost no one was 
thinking about in 1969: If work products became electronic 
—produced on computer and sent over digital networks— 
how would people duplicate the customary forms of 
authentication (the means to verify that the author ofa 
document was actually the person he or she claimed to be)? 
What would be the computerized version of a receipt? How 
could you get a computer-generated equivalent of a signed 
contract? Even if people were given unique “digital 
signatures”—say, a long, randomly generated number 
bequeathed to a single person—the nature of digital media, 
in which something can be copied in milliseconds, would 
seem to make such an identifier pointless. If you “signed” 
such a number to a contract, what would stop someone 
from simply scooping up the signature, making a perfect 
copy, and affixing it to other documents, contracts, and 
bank checks? If even the possibility of such unauthorized 
signed copies existed, the signature would be worthless. “I 
didn’t sign this,” someone could say. “Someone copied my 
signature!” Diffie began to wonder how one could begin to 
fix this apparently inherent flaw in the concept of digital 
commerce. 


Diffie and McCarthy spent hours in rambling discussions 
on issues like authentication and the problems of 
distributing electronic keys. But Diffie still was more 
interested in letting others create the solution. In the 
summer of 1972, however, machinations in Washington, 
D.C., indirectly changed his course. 


The government, under the aegis of the Defense 
Department’s Advanced Research Projects Agency (ARPA), 
had recently begun a program to link major research 
institutions. This was known as the ARPAnet, a system that 
would one day transmogrify into today’s Internet. ARPA’s 
director of information-processing techniques, Larry 
Roberts, realized that such a computer network, the first 
computer net to link multiple sites and handle hundreds if 
not thousands of users, would need a way to keep messages 
secure, and the obvious way of doing that was to devise new 
crypto solutions. But when Roberts approached the NSA, 
he got a quick brush-off. Ultimately, he enlisted the help of 
Bolt Baranek Newman, the Boston-based company that 
helped set up ARPAnet in the first place. In the meantime, 
he mentioned the problem to his friend John McCarthy, who 
encouraged people at Stanford to concoct some crypto 
programs. They began working on what Diffie later called 
“a very complicated system combining the effects of several 
linear congruential random number generators.” 


Since Diffie’s girlfriend was on that team, he also was 
drawn into the effort. Naturally, his curiosity led him to 
study the system closely. As he came to understand it, he 
found himself dissatisfied with its lack of efficiency. Diffie 
believed that if cryptography were to be used in a computer 
system, it was essential that users not have to suffer 
performance lags. Ideally, encryption should add but a tiny 
—or imperceptible—increment to the time it took to 
perform a function like copying a file. Diffie went over the 


group’s basic encoding algorithm and eventually wrote a 
routine that ran much faster. In the process—now that he 
was actually doing some cryptography—he began to spend 
even more time thinking about the larger issue of how to 
advance the field. Later that year he went to Cambridge 
and saw Roland Silver again; Diffie now had much more 
hands-on expertise to bring to a discussion of crypto, and 
their rich exchange fueled his interest even more. 


By now Diffie had finally gotten around to reading David 
Kahn’s The Codebreakers. Since Diffie was a very slow, 
methodical reader, tackling a book of a thousand densely 
packed pages was a major undertaking for him. “He 
traveled everywhere with that book in hand,” says his 
friend Harriet Fell. “If you invited him to dinner, he’d come 
with The Codebreakers.” But Diffie found the hundreds of 
hours he spent on the book to be well worth the trouble. 


Indeed, The Codebreakers was a landmark work—and 
one that the government had not wanted to see published. 
Kahn was a Newsday reporter who, as a twelve-year-old, 
had been thrilled, like Diffie and countless other boys, with 
his first exposure to the mysteries of secret writing. That 
moment first came on a visit to the local Great Neck (Long 
Island, New York) library, where the cover to a potboiler 
history called Secret and Urgent, by Fletcher Pratt, was on 
display. “This was about 1942 or ’43,” recalls Kahn. “That 
dust jacket was terrific; it had letters and numbers swirling 
out of the cosmos. I was hooked.” The hook sank deeper 
when he actually read the book and learned about how 
ciphers worked. The youngster joined what was then 
probably the most sophisticated cryptography organization 
outside the government, the American Cryptogram 
Association. Which wasn’t saying much. “It was a bunch of 
amateurs,” he says. “They solved cryptograms as puzzles, 
and used a little publication with articles on how to solve 


them.” Many of the members were elderly, or at least had 
time on their hands. There was even an offshoot called the 
Bedwarmers. “These were people with polio, or were in 
some sort of clinic, or were paralyzed,” says Kahn. “They 
couldn’t move around very well so they solved puzzles.” 
Such was the scope of crypto work outside the government. 


Unlike Diffie, however, Kahn loved to solve the puzzles 
himself, and kept his interest into adulthood. He discussed 
some sophisticated schemes with some fellow Cryptogram 
Association members. “Otherwise, you were totally 
isolated,” he says. “This was an unknown field; nobody 
knew anything about it.” But he didn’t detect a more 
general interest in cryptography until 1961, when two NSA 
cryptographers defected to the USSR and held a press 
conference about their experience. This was revelatory to 
Kahn; despite diligently monitoring all the public literature 
about cryptography, he had hardly known that the NSA 
existed! Still, since he knew something about crypto, he 
dared to ask editors at the New York Times Magazine if 
they would like a backgrounder on the subject. They did, 
and he produced it. 


The day after the story’s publication, Kahn received three 
book contract offers. He turned them down since they were 
from paperback publishers and he wanted his work 
between boards. He got his wish a week later when an 
editor named Peter Ritner asked him to do a hardcover for 
Macmillan. Kahn wrote up an outline for a general book 
about codes, and received a $2000 advance. But as he 
began working on the introductory section, his research 
efforts kept kicking up more and more interesting stories 
from disparate sources. By the time he reached page 250 of 
his “preliminary chapter”—he had barely gotten to the 
Renaissance—he realized that he was really writing the 
comprehensive history of cryptology. 


Two years into the project, Kahn quit his job to focus his 
efforts full time on the book. He lived off his savings, 
bunking at his parents’ house and eating meals cooked by 
his grandmother. He wrote hundreds of letters, spent days 
in the New York Public Library, and, most important, 
connected with people who had never previously told their 
stories. A high-ranking Department of Defense official 
allowed him access to two important World War II 
codebreakers—an astonishing event given how Cold War 
politics decreed that revealing any information of this sort 
was virtually treason—if he agreed to submit his notes from 
the interviews to the government. “I guess the [Defense 
official] didn’t know what he was getting into,” reasons 
Kahn, “and when the notes got submitted to the NSA, the 
government panicked, and said I had to [disregard the 
information]. I respectfully declined.” 


Kahn also constructed, with the help of an important 
confidential source, the first public account of the extent of 
the NSA’s power, constructing it from the bits and pieces 
that had dribbled out over the years. But the most explosive 
details of Kahn’s book lay in its methodical explanation of 
how cryptography works, and how the NSA used it. When 
The Codebreakers was finished in 1965, it contained the 
most complete description of the operations of Fort Meade 
that had ever been compiled without an rs-ony Stamp on 
each page. 


Quite correctly, officials at the National Security Agency 
had come to view Kahn’s book as a literary hand grenade, 
with the potential for serious damage to the government’s 
carefully maintained ramparts of secrecy. In his NSA exposé 
The Puzzle Palace, author James Bamford wrote that 
“innumerable hours of meetings and discussions, involving 
the highest levels of the agency, including the director, were 
spent in an attempt to sandbag the book.” 


Countermeasures considered behind the Triple Fence 
ranged from outright purchase of the copyright to a break- 
in at Kahn’s home. Kahn, who had moved to Paris to work 
for the Herald Tribune, was placed on the NSA’s “watch 
list,” enabling eavesdroppers to read his mail and monitor 
his conversations. 


To Kahn’s dismay, in March 1966 his editor sent the 
manuscript off to the Pentagon for its scrutiny and 
comments. Of course, it was then shipped to Fort Meade. 
The Defense Department wrote Macmillan’s chairman that 
publishing The Codebreakers “would not be in the national 
interest.” But Macmillan didn’t bend, less because of 
backbone, Kahn guesses, than the fact that by that point in 
the production process “they had too much money put into 
it.” 


So the NSA took an extraordinary step. In July 1966, its 
director, Lt. Gen. Marshall S. Carter—a man so secretive 
that his name never appeared in newspapers—flew to New 
York City and met with the chairman of the publishing 
company, its legal counsel, and Kahn’s editor, Peter Ritner. 
After attacking Kahn’s reputation and expertise, Carter 
finally made a personal appeal for three specific deletions. 
A few days later, Ritner presented Kahn with the request. 
The actual deletions struck Kahn as surprisingly 
inconsequential. “It didn’t really hurt the book, so I took the 
three things out,” Kahn says. “But I insisted that we put ina 
statement to the effect that the book had been submitted to 
the Department of Defense. In the end that had a good 
effect, because right-wing reviewers could otherwise have 
said the book was destroying the republic. Now they 
couldn’t.” 


While The Codebreakers never made the New York Times 
bestseller list, it became a steady seller, going through 


dozens of printings. And it did not, as the NSA had 
hysterically predicted, bring an abrupt close to the 
American century. It did, however, enlighten a new 
generation of cryptographers who would dare to work 
outside of the government’s wall of secrecy. And its prime 
student was Whitfield Diffie. 


“T read it more carefully than anyone had ever read it.... 
Kahn’s book to me is like the Vedas,” he explains, citing the 
centuries-old Indian text. “There’s an expression I learned: 
‘Ifa man loses his cow, he looks for it in the Vedas.’ ” 


By the time Whitfield Diffie finished The Codebreakers, he 
was no longer depending on others to tackle the great 
problems of cryptography. He was personally, passionately 
engaged in them himself. They consumed his waking 
dreams. They were now his obsession. 


Why had Diffie’s once-intermittent interest become such a 
consuming passion? Behind every great cryptographer, it 
seems, there is a driving pathology. Though Diffie’s quest 
was basically an intellectual challenge, he had come to take 
it very personally. Beneath his casual attire and streaming 
blond hair, Diffie was a proud and determined man. He had 
an unusual drive for getting at what he considered the 
bedrock truth of any issue. This led to a fascination with 
protecting and uncovering secrets, especially important 
secrets that were desperately held. “Ostensibly, my reason 
for getting interested in this was its importance to personal 
privacy,” he now says. “But I was also fascinated with 
investigating this business that people wouldn’t tell you 
about.” It was as if solving this conundrum would provide a 
more general meaning to the world at large. “I guess ina 
very real sense I’m a Gnostic,” he says. “I had been looking 
all my life for some great mystery. .. . I think somewhere 


deep in my mind is the notion that if I could learn just the 
right thing, I would be saved.” 


And then, Diffie’s quest to discover truths in cryptography 
became intertwined with another sort of romance: his 
courtship of Mary Fischer. 


It had not been Whit Diffie’s original intention to fall in love 
with a Jewish Brooklyn-born animal trainer who was 
already married. Up to the day when she upbraided him on 
the phone for ignoring her, he had in fact hardly thought of 
her. But her outburst struck a nerve, perhaps more so 
because his own longtime relationship was on the wane. 
When he bid goodbye to Mary on his way across the 
country, and told her he’d see her in a year, he meant it. 
With about $12,000 he had saved from his salary at Mitre 
and an intention to live “low on the hog,” as he later put it, 
he was out to learn all he could about crypto—and maybe 
do something about it. That seemed like a solitary mission. 


But in August 1973, when he stopped by Fischer’s New 
Jersey house for a visit, he found that her marriage was 
falling apart and that she was finding relief by going to 
charismatic prayer meetings. It was not the type of thing 
she felt comfortable talking about to mathematical types 
like Diffie, but when she came out with it, his reaction took 
her aback. “You know, Mary,” he said, “I’ve always had a 
soft spot for mystics.” They began to spend time together. 
Fischer didn’t drive, and Diffie fell into the habit of 
escorting her to zoos—especially to locate a King cobra— 
and then on longer trips to view architecturally interesting 
churches. At one point, on a Massachusetts road, Diffie 
impulsively pulled the car over and very quietly told Mary 
he loved her. She said she loved him back. And that was 


that. Though it was painful for Fischer to acknowledge the 
end of her marriage, Diffie hastened the process by daring 
her to join him on a sojourn to Florida to watch a launch of 
the Skylab mission. They drove straight through and 
arrived at Cape Canaveral at three in the morning. Some 
hours later, they watched together as the big rocket blew 
fire on its jump toward the cosmos. 


From that point, Mary Fischer was Diffie’s companion, 
and eventually his wife, as he drove thousands of miles in 
his search for an answer to the riddle of cryptography. They 
would pass the hours talking, or, more often, singing 
popular tunes. The National Security Agency had no clue 
that the man who was about to make life infinitely more 
difficult for them was spending endless hours in a Datsun 
910, crooning “Sweet Caroline” with his new girlfriend. 
Though Fischer had little understanding of the technologies 
and mathematics that drove Diffie, she became his partner 
in the quest. His cryptographic muse. 


“T was terrified all the time because I’d abandoned 
everything that was familiar to me,” she recalls of those 
days. “Every now and then he’d stop off at a library, or see 
somebody, and it was really cloak and dagger—people who 
didn’t want to talk to him, people who put their coats over 
their faces, people who wanted to know how the hell he’d 
found out their names, people who had secrets, clearly, and 
were not about to share them. And Whit was trying to ferret 
those secrets out. It was a perpetual kind of voyage of 
discovery because he kept checking out these people. And 
sometimes he’d say, ‘I want you to stand here to listen. I 
don’t want anybody to see you but I just want you to listen.’ 
So I went on some of these encounters. But basically I 
didn’t have a clue what he was up to.” 


Sometimes Diffie would try to explain his motivations to 
her. The computer age, he told Mary, held terrible 
implications for privacy. As these machines become 
ascendant, and we use them for everyday communication, 
he warned, we may never experience privacy as we know it 
today. His apocalyptic tone unsettled Mary, but she wanted 
to hear more. 


Eventually, Mary understood how Diffie’s mission mixed 
the political with the personal. Devising a way to wedge 
open the NSA’s grip on crypto would satisfy not only Diffie’s 
sixties-style rebelliousness, but also what would later be 
identified as a strongly libertarian ethic in him. “Whit wants 
to uncover secrets,” she says. “Anything that’s secret is 
something that Whit has to know. When we first got 
together I couldn’t believe it. He was doing things like 
going through my garbage bags. He didn’t trust anything. 
He feels as though what ordinary people take for granted is 
just too simple and there must be more under the surface 
there. And he builds up terrible complications that way.” 


Of course, the most significant complication was his 
seemingly quixotic mission to discover something under the 
nose of the National Security Agency. He wondered 
whether he was putting himself at risk, and indeed, because 
of this, “my attitude was to keep my head down for the first 
couple of years,” he says. Ultimately, though, the length of 
the odds stacked against him only made the quest more 
attractive to Diffie. 


One thing Diffie did trust during this period was the 
Datsun 510 automobile. He kept buying and rebuilding 
them, even though the evidence indicates that the cars 
were far from immortal. “I was stubborn,” he explains, 
adding that “most of what I do is characterized by the fact 
that I’m stubborn.” Mary Fischer puts it differently. “When 


Whit decides he wants something, he’ll research it 
thoroughly, fix on the best idea of its kind, and from then on 
he is married to that thing.” His Datsun broke down in 
Nebraska, whereupon Diffie rented a truck and transported 
the car to the West Coast. He then purchased a second 510, 
a black junker with about 100,000 miles on it. “It had a fine 
set of insides in it,” Diffie recalls fondly. This took him and 
Mary on their second continental crossing. The car took 
sick in La Mesilla, New Mexico, emitting an ominous chink- 
chink-chink sound, but it got Whit and Mary back to 
California, only to go dead in a Redwood City parking space 
two days later. Diffie then purchased more Datsuns, 
initiating an elaborate process of vehicular organ 
transplants. “At one point we had five Datsuns,” recalls 
Mary Fischer. “Whit would work on them himself; he didn’t 
trust mechanics. He is not an utterly trusting soul.” 


What did Diffie encounter during his cross-country 
journeys? Many people who refused him. But a few helped, 
providing him with hints of contemporary crypto 
techniques, or even unpublished works. Among those 
helpers was Diffie’s personal Mao, David Kahn, who invited 
Diffie for pizza at his Long Island home after Diffie had cold- 
called to introduce himself. Though taken aback by Diffie’s 
appearance—an abundance of hair and ultracasual attire— 
The Codebreakers’ author was impressed with his 
knowledge. He agreed to provide Diffie with some crypto 
documents from his research. 


One important cache of papers dealt with William 
Friedman, the acknowledged godfather of the 
government’s cryptographic efforts. A naturalized 
American born in Russia late in the nineteenth century, 
Friedman had become interested in cryptography while 
researching the possibility that Francis Bacon was the true 
author of Shakespeare’s plays. (Many years later Friedman 


and his wife Elizabeth would authoritatively debunk this 
notion in their book, The Shakespearean Ciphers 
Examined.) During World War I, Friedman became involved 
in the U.S. government’s codebreaking efforts and 
developed a series of courses to train prospective 
cryptanalysts. Within the closed community, his works 
became classics, particularly those on his use of statistics to 
crack codes. Friedman’s World War II work was 
instrumental in breaking the Japanese cipher PURPLE, and 
he was an important figure in the early NSA, remaining 
active as a consultant long after his retirement in 1955. 
Throughout, virtually all his critical work was top-secret, so 
when Kahn offered Diffie a look at some rare, recently 
declassified materials, Diffie treated them like the original 
copies of the Constitution. Instead of handing the bound 
books over to attendants at a photocopying center, he 
lovingly photographed each page with a 35mm camera. 
This meticulousness proved prescient, as the NSA hadn’t 
yet realized that copies of these papers had slipped 
underneath the Triple Fence; when it did, the agency would 
attempt to retroactively classify the material, thus making 
criminals of those who did not immediately turn them over 
to the proper authorities. 


In the summer of 1974, Diffie heard that Jim Reeds, a 
Harvard doctoral student in statistics he had met a year 
earlier, was leading a seminar in cryptography there. Diffie 
headed back to Cambridge and sat in. Also attending was 
Bill Mann, a friend who was working on the ARPA security 
plan. At one point Diffie was trying to explain to Mann the 
meaning of something called a one-way function. This was a 
mathematical oddity that he had come across and couldn’t 
stop thinking about. A true one-way function is something 
that can be calculated easily in one direction but not easily 
reversed—a mathematical Humpty-Dumpty. One 
cryptographer would later explain that when you broke a 


dinner plate, you were using a one-way function: “It is easy 
to smash a dinner plate,” he wrote. “However, it’s not easy 
to put all of those tiny pieces back together again into a 
plate.” 


Diffie was increasingly convinced that one-way functions 
could figure into a new kind of cryptographic approach, but 
he wasn’t sure how. He couldn’t even explain what it was 
clearly enough for Mann to understand it. But Mann 
misunderstood it rather creatively. He came away with the 
impression that a one-way function was something that not 
only could be quickly computed in one direction but could 
be calculated in reverse as well—if you had the proper 
information. Using the plate analogy, Mann said it was as if 
the guy who broke the plate had some magic way to un- 
break it, like a film running backward showing those tiny 
shards of broken china fusing back into a pristine dinner 
plate. As he laid out his conception to Diffie, Mann was 
envisioning what one day would be called a “trapdoor one- 
way function.” It would prove to be a prescient 
misunderstanding. 


Also in Cambridge, Diffie talked about crypto with 
Richard Schroeppel. He was a former MIT hacker who had 
a reputation as a math wizard. Schroeppel had been 
thinking about the idea of electronic commerce, and was 
beginning to grapple with the same sorts of problems that 
Diffie and McCarthy had discussed: What if Company A 
wanted to place an electronic order with some Company B 
and no preexisting relationship existed? How could they 
secure their communications? 


Schroeppel was impressed that Diffie had done a lot of 
thinking about such problems. And he certainly respected 
Diffie, who had done great, though unheralded, work at 
MIT’s AI lab, building Macsyma. Schroeppel also knew that 


Diffie had written the complicated routines to handle large 
numbers in the Stanford version of the computer language 
LISP. “To my mind, writing a set of big number routines 
crosses you over a threshold,” says Schroeppel. “It’s like 
passing the Bar [exam]; it means you really know how to 
use a computer and you really know how to do arithmetic.” 


Over lunch one day Diffie floated the idea that perhaps 
there was a way to get around the electronic commerce 
problem. What about a one-way function, he suggested—a 
reversible one-way function, like the one Bill Mann had 
unwittingly suggested? Could that possibly be part ofa 
solution? They talked about it for a while, but Schroeppel 
was Skeptical. “Actually, you probably can’t find any of those 
functions,” he warned Diffie. “They probably don’t exist.” 


Undaunted, Diffie kept on, desperate for someone who 
could provide him with more clues. He and Fischer went to 
see a friend in Cambridge who mentioned a fellow named 
Alan Tritter. Tritter supposedly had done work in 
cryptography. He now worked for IBM. So during that same 
summer of 1974, Diffie tracked him down at the major 
center of cryptographic activity outside the government, 
IBM’s T. J. Watson Labs, in Westchester County, New York. 


Even in a field littered with brilliant oddballs, Tritter 
stood out. Due to a rare disease that generated a massive 
volume of body fat, he weighed what friends estimated as a 
minimum of 400 pounds. Rumor had it that his grandfather 
had been a wealthy man who had left Tritter only enough 
money to attend school. Though some regarded him as a 
mathematical genius, others felt that his reputation was 
unearned. “Immediately after he was hired, it was 
regretted, but IBM wouldn’t admit its error,” complained 
one former IBM colleague. “I don’t really think he did 
anything there.” On the other hand, Tritter was ahead of his 


time by acquiring an early mastery of telephone hacking. 
He would die young. 


Diffie was immediately gratified to learn that Tritter was 
knowledgeable about Identification Friend or Foe (IFF) 
devices. Reading Kahn’s book, Diffie had been intrigued by 
its mention of these systems, which are communications 
devices that essentially quiz each other to authenticate 
one’s identity. As Tritter explained it to Diffie, an IFF device 
works by issuing a cryptographic “challenge,” one that can 
be successfully met only by use of secret information to 
precisely solve the problem. The canonical IFF situation is a 
fighter plane encountering another airborne craft during a 
period of hostilities. If the intruder is a foe, it must be shot 
down, but it’s obviously unwise to fire before determining if 
the target might be an ally. The IFF process is an electronic 
equivalent to a sentry’s question to an approaching foot 
soldier: “What’s the password?” Of course, IFF systems 
relied on more complicated protocols than passwords. 
Since such communications were generally conducted by 
radio, it was assumed that enemies could listen in, and ifa 
general password were issued to the forces of one side, a 
foe could easily discover the magic utterance that would 
enable its own planes to pose as friends. 


It turned out that one of Tritter’s colleagues at IBM, a 
German-born scientist named Horst Feistel, had performed 
crucial work in the field. (Unfortunately, Feistel had left for 
a Cape Cod weekend, and Diffie could not meet him then.) 
Tritter explained to Diffie how Feistel’s IFF system got 
around the eavesdropping problem: when confronting an 
as-yet-unidentified aircraft, an American plane could send a 
radio signal containing a challenge randomly selected from 
a large number of possible alternatives. Other U.S. planes 
would be supplied with the means to encrypt that signal in 
the correct manner and send that scrambled response back 


to the questioner. The questioner would validate the 
response by decrypting it. If this process yielded the 
original signal, the second craft was definitely a fellow 
American. If enemy planes were listening in, it would do 
them no good simply to copy the friendly response and use 
it as a response to a later challenge, because in any 
subsequent encounter, the American planes would choose a 
different signal, one that would be transformed to a 
different encrypted transmission. 


Tritter’s information was exciting to Diffie. By that 
explanation, IFFs worked in somewhat the same way that a 
one-way function might. He hoped for similarly helpful clues 
when he wangled an audience with the head of the 
mathematical group at IBM, Alan Konheim. He didn’t get 
any. “He was very secretive,” complains Diffie. Konheim, 
now a professor at the University of California at Santa 
Barbara, was one of those mathematicians who had taken 
several NSA-sponsored courses and had signed the fatal 
document that bound them to submit their future 
cryptographic works to the agency. “You sign it once and 
it’s forever,” he later explained. 


There was no way that Konheim was going to give any 
crucial information to the stranger who sat in his office 
along the curved-glass walls of the Watson research 
building. However, Diffie says that Konheim did give him 
one critical piece of information. “He only told me one 
thing, and since then, he’s wished he’d never said that,” 
crows Diffie. That datum was not a cryptographic tip but a 
referral, the name of someone who had been asking the 
same kinds of questions as Diffie had, a guy who had briefly 
worked at the lab and was now an assistant professor at 
Stanford. His name was Martin Hellman. Maybe, Konheim 
suggested, two people can work on a problem better than 
one. 


When Diffie and Mary next drove whichever Datsun 510 
was running at that time to the West Coast for a stint of 
house-sitting for John McCarthy, one of the first things that 
Diffie did was phone this young professor of electrical 
engineering. “I arranged a half-hour meeting at my office at 
Stanford,” Marty Hellman now recalls, “figuring it’s just not 
going to go anywhere, but what the heck.” Thus was made 
the match that, in the world of crypto, would later attain the 
resonance of famous pairings elsewhere: Woodward- 
Bernstein. Lennon-McCartney. Watson-Crick. 


Diffie-Hellman. 


Though he lived in California, Marty Hellman was pure Big 
Apple: pugilistic, in-your-face New York City. With his dark 
hair, beard, and intense stare, he resembled a Semitic 
version of Martin Scorsese. Born in 1945, he grew up 
Jewish in a tough Catholic neighborhood and learned to 
take an outsider’s view. He also took refuge in science. His 
father and uncle both taught physics in the public schools. 
Young Hellman had always been turned on by explorers and 
new frontiers, whether it was Magellan charting the New 
World or Einstein on redefining the way we understand the 
universe. He was accepted into the Bronx High School of 
Science; his avocation was ham radio. “That probably pulled 
me into electrical engineering,” he said. “It’s a very broad 
area; you can move from theoretical physics through solid- 
state physics and math.” He got his doctorate from Stanford 
in 1969, and his first job was at IBM research in Yorktown 
Heights, New York. 


Not long after he was hired, Hellman gave a paper at an 
information theory symposium held at the Neville hotel and 
resort, the headquarters of the Catskills’ Borscht Belt. The 


banquet speaker was David Kahn. Hellman had always 
believed that there was something kind of sexy about 
cryptography, but Kahn’s appearance got him thinking 
about it as a serious scientific pursuit, and those thoughts 
got stronger when he discovered that his new employer 
was already working in that field. Surely commercial 
applications existed, he figured. Though Hellman didn’t 
work directly with Horst Feistel, the German-born 
cryptographer worked nearby in the building, and 
sometimes the two of them would sit together at lunch, 
where the older man would describe some of the classical 
cryptosystems and some of the means of breaking them. 


Hellman left IBM in 1970, accepting a post as assistant 
professor at MIT. At that time Peter Elias, who had worked 
closely with Claude Shannon, was just stepping down as the 
head of the electronic engineering department. Elias’s talks 
with Hellman drew the young academic deeper into crypto, 
and for the first time he began thinking about making it the 
focus of his research. “Partially, it was the magician aspect, 
being able to impress people with magic tricks,” he now 
explains. “Also, the potential to make a real impact, and 
advance my career by doing it.” 


He resisted the temptation to do what the vast majority of 
scientists and academics in his field had already done: work 
within NSA strictures. “From the very beginning, once 
someone heard I had an interest in cryptography, the 
people from NSA would come at me,” he says. Hellman 
would profess interest in hearing what they knew, but only 
if he would remain free to publish his own findings. The 
officials would warn him he was wasting his time, and that 
by depriving himself of the research performed at The Fort, 
he’d never come up with anything worthwhile. But Hellman, 
brimming with chutzpah in those days, said, in effect, To 
hell with you, I’m doing it anyway! He figured that even if 


he wound up rediscovering something that was already in 
the classified literature, his feat would not be redundant, 
because his findings could be exploited for commercial use. 
“It was hard,” he says. “But it was also doing something 
exciting that no one else was doing.” 


Enter Whit Diffie. 


“It was a meeting of the minds,” says Hellman. It came at 
a propitious time: though Hellman had recently published 
his first paper in the field of cryptography—a gloss on 
Shannon’s work—he’d been stuck for a follow-up, and 
longed for a kindred ear. “I’d been working in a vacuum,” 
he says, “and was feeling, ‘Is this really worth it?’ I was 
really getting concerned about whether this was going to 
lead anywhere.” 


Showing up wearing what Hellman called “the AI 
uniform”—black chinos, white socks, white shirt, and tennis 
shoes—Diffie was undoubtedly quirky. But he knew his stuff. 
He knew volumes. Only someone like Hellman, who had 
banged his own head against the ramparts of crypto 
secrecy, could appreciate how well spent were Diffie’s 
months and years traveling, talking to anyone he could find, 
burrowing in libraries for forgotten books like Luigi Sacco’s 
1938 treatise on cryptography, and poring over obscure 
texts like the Friedman papers that NSA had later tried to 
reclassify. “He’d dug up everything I had never seen or had 
the energy to dig up,” says Hellman. Finally, someone with 
whom he could toss ideas back and forth; it was like an 
elegant game of hard catch between two professional 
ballplayers. 


The half-hour meeting went on for an hour, two hours, 
longer. Hellman simply didn’t want it to end, and Diffie, too, 
seemed eager to continue for as long as possible. Hellman 


had promised his wife he’d be home by late afternoon to 
watch their two small children while she went off, so finally 
he asked Diffie back to his house. No problem! Diffie called 
Mary and she came over to have dinner with Whit and all 
the Hellmans, and it wasn’t until 11:00 or so that night that 
the dialogue broke up. 


Not surprisingly, the two decided to continue the 
conversation. “It was very nebulous,” says Hellman. “He 
had some great ideas, I had some great ideas, and there 
was some overlap. We just loved talking to each other. It 
wasn’t that we had a goal of doing this or a goal of doing 
that—we just wanted to go further down the path we had 
each gone down, without finding someone at the end of the 
path telling us what everybody else was telling us: that we 
were wasting our time.” 


Both Diffie and Hellman firmly believed that the advent of 
digital communications made commercial cryptography 
absolutely essential. All of these huge computer and 
telephone networks made life incredibly easy for 
eavesdroppers—it was going to be possible to fully 
automate spying. At least with radio broadcasts, snoopers 
had to monitor numerous points in the channel band; with a 
network, it was as if everyone were broadcasting on the 
same channel. A spy agency like the NSA could—and would 
—simply turn on the Hoover and inhale gigabytes of data. 
“Ninety-nine percent of what they suck up gets blasted out 
as hot air,” says Hellman. “But by combing the data for key 
words, key phrases, key names and addresses, one percent 
gets caught in the bag as dirt.” 


The antidote for this would amount to, in essence, a 
cryptographic revolution, which would allow ordinary 
people to encrypt the stuff they sent over the network. The 
big problem, as Diffie had discussed with McCarthy and 


Schroeppel, was scaling crypto for more users, and making 
it easier to use. Something had to replace, or at least 
augment, the old-style, classical form of symmetrical-key 
crypto (where the same key that scrambles the messages 
can unscramble it, too), because it was totally unfit for the 
massive numbers of private conversations and digital 
transactions that people would require. The problem was 
that in order to have those private conversations, both 
parties had to arrange in advance what the key would be, 
and then somehow use that key without exposing it to 
eavesdroppers or intruders. This was a fairly 
straightforward act for a military organization, but an 
absolute nightmare in a bustling marketplace. What were 
you going to do—send millions of bonded couriers out into 
the streets to personally hand someone a new key every 
time he wanted to start up a phone conversation or file a 
purchase order? The only feasible approach seemed to be 
an infrastructure of key distribution centers that would 
generate a key every time two people requested one for a 
private conversation. But Hellman shared Diffie’s deep- 
seated suspicion of such a centralized system. 


“I knew he’d be around for a couple of months, but I also 
had the feeling that he might pick up and leave, and I was 
really anxious to see him stay here,” says Hellman. So 
Hellman called his grant monitor in the National Science 
Foundation (NSF) and wheedled some more funds to spend 
working on cryptography. There was enough to hire Whit 
Diffie as a part-time researcher. “It might have been for ten 
to twenty hours a week, or about a quarter to a half of what 
a working person would normally make,” says Hellman, who 
also suggested that while they were at it, why not have 
Diffie enroll as a graduate student and get a doctorate in 
the process? 


That part of the arrangement didn’t work out. “Whit is a 
truly free spirit,” was Hellman’s postmortem. “When he’s 
interested in something for himself and no one’s making 
him do it, he will spend unbelievable hours a day, get by 
with little sleep. But [not] when he has homework 
assignments and the structure.” Ultimately, Diffie dropped 
out of the graduate program when the administrators 
noticed that he hadn’t taken the requisite physical 
examination. “I didn’t feel like doing it; I didn’t get around 
to it,” says Diffie. Though he finessed the matter for some 
months, ultimately, when the Stanford bureaucrats refused 
to register him without proof he had taken the physical, 
Diffie told them to go to hell. 


“T used to think of it as a handicap on Whit’s part,” says 
Marty Hellman, “but maybe he was just mature at an 
earlier age, thinking, Damned-if-I’ll-follow-some-of-your- 
stupid-rules. Because some of them are stupid.” 


Ultimately, it was only by questioning the conventional 
rules of cryptography and finding some of them “stupid” 
that Diffie made his breakthroughs. A case in point: the 
belief that the workings of a secure cryptosystem had to be 
treated with utmost secrecy. That might have held true for 
military organizations, but in the computer age, that didn’t 
make sense. There would be unlimited users who needed a 
system for privacy; obviously, such a system would have to 
be distributed so widely that potential crackers would have 
no trouble getting their hands on it and would have plenty 
of opportunity to practice attacking it. Instead, the secrecy 
had to rest somewhere else in the system. Maybe those one- 
way functions that obsessed Diffie could be involved in such 
a system. 


In the months that followed, they became close colleagues 
and friends. Mary and Whit often hung out at the 


Hellmans’. Marty’s wife Dorothy was an enthusiast of 
purebred dogs—obviously something Mary was interested 
in—and Mary got one of Hellman’s daughters interested in 
playing the harp. Whit and Marty would usually be off ina 
corner, talking cryptography. 


Between Whit and Mary there was now an understanding 
that the traveling was over. They began their Palo Alto 
house-sitting stint for John McCarthy, watching his teenage 
daughter Sarah while the AI pioneer was on a Japanese 
sabbatical. Meanwhile, they started looking for a place of 
their own in Berkeley. Mary took a job with British 
Petroleum in San Francisco. Whit had the house to himself 
all day, and he would clean and cook. Mainly, he would work 
with Marty, hoping against hope that his years of didactic 
study would bear fruit and he would make a contribution, 
however slender, to the maddingly secretive field of 


cryptography. 


His years of obsession had not decreased his passion for 
the subject. Nor had his deep affection for Mary Fischer— 
his other romance—distracted him. On the contrary, their 
relationship had only intensified his hunger for privacy, and 
the quest for a technology to provide it. His epic quest had 
begun from a lack of trust in computer systems and their 
keepers. Now it was about maintaining a valuable personal 
connection, too. “When he felt he’d finally found a 
trustworthy person,” as Mary Fischer later explained, “the 
question became, ‘How do you deal with a trustworthy 
person in the midst of a world full of untrustworthy people?’ 


yw 


the standard 


On March 17, 1975, a dry government document produced 
a shock wave that just about tore the plaster off the walls of 
Martin Hellman’s little cipher operation at Stanford 
University. It was a Federal Register posting from the 
National Bureau of Standards (NBS), ostensibly one of 
countless protocols proposed by that agency that, if 
adopted, would become the officially endorsed means of 
doing things for the federal government. By extension, it 
would become the no-brainer choice for private industry 
and just plain folks as well. This proposal involved 
something seldom ventured in the public literature: a 
brand-new encryption algorithm. And a strong one to boot. 
It was to be called the Data Encryption Standard, or DES. 


The Stanford team had known that the unprecedented 
move was in the offing—the NBS had been issuing requests 


for such a standard—and Hellman knew that his old and 
trusted colleagues at IBM had been cooking up a system 
designed to satisfy the government’s criteria. So at first 
they welcomed the announcement. “This was big news,” 
recalls Hellman. “We were happy to see a standard. We 
thought it was a wonderful thing.” 


Then they began to actually examine the DES system— 
and learned that the National Security Agency apparently 
had a hand in its development. And their enthusiasm turned 
to dismay. Right away, it was glaringly obvious that the flaw 
in the DES was the size of the encryption key, a metric that 
directly determines the strength of a cryptographic system. 
It was 56 bits long. That’s a binary number of 56 places. You 
could envision this as a string of 56 switches, each of which 
could be on or off. Though 2 to the 56th power was a hell of 
a big number in most circumstances—it meant that there 
were 2°° possible keys, or about 70 quadrillion—Hellman 
and Diffie believed that it was too small for high-grade 
encryption. Sophisticated computers, they insisted, could 
eventually work hard enough to find solutions to such 
encrypted messages by “exhaustive search”: trying out 
billions of key combinations at lightning speed until the 
proper key was discovered and the message suddenly 
resolved itself into the orderly realm of plaintext. This 
would be a classic “brute-force” attack. “A large key is nota 
guarantee of security,” says Hellman, “but a small key is a 
guarantee of insecurity.” 


Diffie wrote as much in an otherwise respectful initial 
analysis of the standard, submitted in May 1975 as part of 
the NBS’s public comment process. “The key size is at best 
barely adequate. Even today, hardware capable of defeating 
the system by exhaustive search would strain but probably 
not exceed the budget of a large intelligence organization.” 
He postulated that a free-spending agency could feasibly 


build a customized machine that would crack such a key 
within a day. “Although cryptanalysis by exhaustive search 
is far from cheap, it is also far from impossible,” he wrote, 
“and even a small improvement in cryptanalytic technique 
could dramatically improve the cost performance picture. 
We suggest doubling the size of the key space to preclude 
searching.” 


Naively, the Stanford duo believed that such advice might 
be heeded by the United States government: Well, damn, 
you guys are right! Let’s double that silly key size! Instead, 
the government’s response was sufficiently evasive for 
Hellman to suspect that a smoke screen lay behind the 
NBS’s actions. In subsequent months, in fact, Hellman 
would publicly begin to question whether the DES 
algorithm might have been a daring ruse on the 
government’s part to lull citizens and perhaps even foreign 
foes into an illusion that they were protecting information— 
while that supposedly secure data was easily accessible to 
the NSA. At his most paranoid, Hellman wondered whether 
the DES had a “back door” implanted in it by Fort Meade’s 
clever cryptographers. While there was no direct proof of 
that, there was reason for suspicion. If everything was on 
the up-and-up, Hellman wanted to know, why was it that the 
design principles of the algorithm, as well as its inner 
workings, were being treated as government secrets? If the 
government had nothing to hide, why were they hiding 
something? 


Diffie and Hellman were only the first to question the 
murky origins of the Data Encryption Standard. The debate 
would continue even as the DES became a kind of gold 
standard for strong commercial cryptography—and an 
object of continued suspicion among the outsiders of the 
crypto and civil liberties world. Only with the passage of 
time would it become clear that the development and 


certification of DES was in a sense an inspiring story of its 
own, one that had elements in common with the quest of 
Diffie and Hellman themselves. 


The story began with one of IBM’s most enigmatic 
researchers, Horst Feistel. He was the German-born 
cryptographer who had done the work on Identification 
Friend or Foe protocols that Whit Diffie had learned from 
Alan Tritter. Feistel had been working at IBM’s research 
division in Yorktown Heights since the late sixties. It was 
one of the few jobs in the private sector that involved work 
in cryptographic research. 


In fact, some of his colleagues suspected that Feistel had 
been in the NSA’s employ and was somehow still hooked up 
with it, even while working for IBM. In any case, his 
biography is somewhat sketchy. Born in 1914, he had left 
Germany as a young man. His aunt had married a Swiss Jew 
living in Zurich, and on the concocted pretext of tending to 
his aunt’s illness, Feistel joined them just before the Third 
Reich began a military conscription that would have 
prevented his escape. After studying in Zurich, Feistel came 
to the United States in 1934. He was about to become a 
naturalized citizen when America was thrust into World 
War II. Feistel was put under what he once described as 
“house arrest,” his movements restricted to the Boston area 
where he was living. But in January 1944, Feistel’s 
circumstances changed abruptly. He was not only granted 
citizenship but also given a security clearance and a job ata 
highly sensitive facility: the Air Force Cambridge Research 
Center. 


What he did there is unclear. Codes had fascinated him 
since his boyhood, but in the early 1990s he told Whit Diffie 


that while crypto work was indeed his desire, he was 
informed that this was not suitable wartime work for a 
German-born engineer. On the other hand, in a 1976 
interview with David Kahn, Feistel said that during the war 
he had worked on Identification of Friend or Foe systems— 
not cryptography per se at that time, but close. 


There are other contradictions in Feistel’s various 
accounts of his activities. He told Diffie that before he was 
granted U.S. citizenship, he had to report to authorities 
every time he left Boston to visit his mother in New York. 
But he once told a coworker that his mother didn’t 
emigrate until the Cold War began. The U.S. had spirited 
her out of East Berlin, he reportedly said, just in case the 
Soviets discovered that Feistel was doing crypto and 
decided to pressure her. 


There was no doubt, however, that after the war, Feistel 
began to specialize in IFF. He headed a crypto group at the 
Cambridge Research Center, and part of his job was testing 
an advanced IFF system that depended on an amazing new 
invention, the transistor. This tiny marvel would enable an 
IFF system to be built so compactly that it could fit into the 
nose of a fighter plane. Another important project of 
Feistel’s was a longtime passion: constructing a strong 
cryptosystem based on block ciphers. (This kind of system 
encrypted messages by processing them in chunks, or 
“blocks,” as opposed to stream ciphers, which did their 
scrambling on text as it flowed, or “streamed,” by.) 


Did the NSA embrace Feistel’s work, or did it see his 
work as a threat, and try to stifle it? According to what 
Feistel told Diffie, the people at The Fort had closely 
monitored his air force work and used the NSA’s power to 
influence the direction Feistel’s work took. But the agency 
also regarded the project as a threat and eventually 


managed to kill the entire crypto effort at the Cambridge 
lab. When Feistel left for another job in the mid-1960s at 
Mitre (the same military contractor that would later put 
Whit Diffie on its payroll), he unsuccessfully tried to 
organize a group there that would resume his crypto work. 
He blamed the failure on more NSA pressure. 


So Feistel took the advice of his friend, A. Adrian Albert, 
and went to work for IBM, which seemed more open to 
such pursuits. (Albert was a mathematician, a onetime head 
of the American Mathematical Society, who had himself 
done extensive cryptography work for the government.) 
IBM was an amazingly rich company with little competition, 
and its research division was an intellectual playground 
where incredibly bright scientists were encouraged to 
explore whatever interested them. “If they hired you at 
Yorktown, you’d do what you wanted, as long as you did 
something,” says Alan Konheim, who became Feistel’s boss 
in 1971. “And Feistel did something—he formalized this idea 
for a cryptosystem.” 


The most remarkable aspect of Feistel’s creation was not 
its mathematics or its technology—or even its resistance to 
codebreakers—but the motivation behind it. His 
superstrong cipher wasn’t intended to defend government 
secrets or diplomatic dispatches, but to protect people’s 
privacy—specifically, to protect databases of personal 
information from intruders who might steal the contents to 
create detailed dossiers on individuals. “Computers,” wrote 
Feistel in a 1973 article for Scientific American, “now 
constitute, or will soon constitute, a dangerous threat to 
individual privacy. .. . It will soon be feasible to compile 
dossiers in depth on an entire citizenry.” Feistel declared 
that the antidote was cryptography, traditionally the domain 
“of military men and diplomats.” He proposed that 
computer systems be adapted “to guard [their] contents 


from anyone but authorized individuals by enciphering the 
material in forms highly resistant to cipher-breaking.” 
Considering Feistel’s familiarity with the government’s zeal 
for keeping cryptography to itself, this was a significant 
position to take. So important was privacy in the computer 
era, Feistel believed, that the knee-jerk national security 
arguments would have to be shelved. 


Meanwhile, Feistel was concocting a system that would 
grant people that privacy. 


The system was called Demon, so dubbed because file 
names in the computer language he used (APL) could not 
handle a word as long as his unimaginative choice for the 
first version, “Demonstration.” Later, in a burst of 
inspiration, an IBM colleague would change the name, 
carrying over the satanic theme from Demon, to “Lucifer,” 
thus containing a cryptographic pun. 


As a block cipher, Lucifer was a virtual machine that 
sucked in blocks of plaintext data and spit out blocks of 
ciphertext. Feistel created several versions; the best known 
used a digital key of 128 bits, an enormously tough target 
for a brute-force attack. Impossibly tough. Of course, the 
issue of key length would be of little importance if a 
codebreaker could quickly crack the system by detecting 
and exploiting structural weaknesses that would recover 
plaintext without having to bother with brute-force attacks. 
If even the most subtle pattern could be discernible in 
ciphertext, a codebreaker would be on his way to breaking 
the system. Lucifer’s strength, like that of any other cipher, 
depended on denying potential foes any such shortcuts. 
Feistel’s cipher avoided telltale patterns by subjecting the 
plaintext characters to a tortuous mathematical journey, 
leading them through a complicated whirl of substitutions. 
Ultimately, after sixteen “rounds” of furious swapping with 


other letters in the alphabet, the actual plaintext words and 
sentences would appear only as a block of seemingly 
random letters: an oblique ciphertext. 


The crucial rules of substitution took place by means of 
two substitution boxes, or “S-boxes.” These, of course, were 
not physical boxes, but sets of byzantine nonlinear 
equations dictating the ways that letters should be shifted. 
(At least one colleague of Feistel’s, Alan Konheim, believes 
that the idea of S-boxes had been given to Feistel by the 
NSA at a summer workshop, supposedly to get a technology 
well understood by Fort Meade into the mainstream. “Horst 
is a very clever guy, but my guess is he was given 
guidance,” says Konheim.) 


The S-boxes did not merely initiate a set of predictable 
substitutions in the letters; they used information drawn 
from a series of numbers that comprised a secret key to 
vary the sequence as the bits passed through the boxes. 
The security of the system ultimately rested with this key. 
Without knowing this key, even a foe who understood all the 
rules of Lucifer would have no advantage in transforming 
ciphertext into plaintext by some reverse-engineering 
technique. 


Such knowledge of the rules was to be assumed; the nuts 
and bolts of a well-distributed commercial cipher were 
much more likely to be accessible to eavesdroppers than 
the workings of military codes, which could be more tightly 
controlled. A cryptanalyst trying to crack an army code 
would often have no clue as to the system used to produce 
the ciphertext, a problem that required not only plenty of 
extra time to break the code, but also a huge amount of 
resources in the black art of undercover intelligence. Huge 
spy networks devoted themselves to learning the sorts of 
codes the enemy used. On the other hand, if Chase 


Manhattan Bank decided to use IBM’s brand-name code to 
encrypt its financial transactions, a potential crook would 
find it relatively simple to discover what cryptosystem the 
bank used. Since IBM might license the cryptosystem to 
others, the rules of that system would probably be 
circulated fairly widely. So in this new era of non-military 
crypto, all the secrecy would rely on the key. 


IBM applied for, and received, several patents for Lucifer. 
As an innovation of its Watson Research Lab, Lucifer fell 
into the research category. But unlike some blue-sky 
schemes at Watson that were way ahead of their time, an 
invention that provided an instant answer to a pressing 
problem—data security in the communications age—was 
naturally positioned on a fast-track to commercialization. 
Lucifer’s first serious implementation came quickly, in 
Lloyds of London’s Cashpoint system, a means for 
distributing hard currency to bank customers. Undoubtedly, 
this was a harbinger of bigger things to come for both IBM 
and crypto. It was only a matter of time before Horst 
Feistel’s baby would no longer be a research project; it 
would be a major IBM initiative. And that would change 
everything. 


As Feistel was refining Lucifer, a thirty-eight-year-old 
engineer named Walter Tuchman was working at IBM’s 
Kingston, New York, division. He was a Big Blue lifer, having 
first gotten his feet wet during a three-month period at IBM 
in 1957 between college and the army. When he finished his 
stint, IBM not only rehired him but sent him off to Syracuse 
to pursue a doctorate in information theory. Most of his 
classmates remained in academia, but Tuchman wanted to 
use his knowledge to actually create sophisticated 


technology, so he stuck with IBM and wound up heading 
product groups. 


Tuchman’s most recent IBM task involved an odd sort of 
computer security vulnerability. When computer terminals 
are in operation, they leak out faint electronic impressions 
that a sophisticated eavesdropper can use to reconstruct 
the information being shown on the screen. In effect, those 
blips represent an unauthorized computer-data wiretap. 
The government wanted a special means to shield its 
computers from such potential leaks, and IBM responded 
by devising what came to be known as Tempest technology. 
It was considered a big win, and when Tuchman’s team 
finished its work around 1971, people in the group wanted 
to stay together rather than disperse to other projects, a 
routine known internally as “volkerwanderung.” To do this, 
they needed a new mission. Tuchman’s boss knew there 
were some interesting things going on in the banking 
division that might require innovative advances in computer 
security, and suggested Tuchman and his team look into it. 


IBM’s banking division was fortuitously located just 
across the road from Tuchman’s offices in Kingston. He 
quickly found that his boss’s instinct was sound in sending 
him there. Building on the Lloyd’s project, IBM had decided 
to advance the idea of cash-issuing terminals, where bank 
customers could get money from their accounts without 
having to see a teller. The first cash-issuing machines had 
been giant safes that held not only the money but also all 
the electronic and computer equipment necessary to 
process the transaction. This was both costly and unwieldy. 
The better solution would be to spread the computer 
application between a terminal and the bank’s mainframe 
computer, which could do all the heavy-duty processing. 
This solution was not only efficient, but hewed to IBM’s 
recent, painful realization that the standard model of 


computing was headed to the junkyard. “Before then, data 
processing was all done on the mainframe. The security 
model was that you locked your door, you locked your desk, 
and you had a guy with a gun guarding the building,” 
explains Tuchman. But now, even the most tradition-bound 
minds in Armonk understood that in the future, as Tuchman 
puts it, “data processing was leaving the building.” And 
since a guard with a gun couldn’t be everywhere, the 
security model would have to change. 


Of course, a system that actually doled out cash would 
represent a trial by fire for whatever new type of security 
IBM employed. The crucial commands that flashed a green 
light to spit out twenty-dollar bills would be sent over the 
phone line. Tuchman was quick to understand how 
precarious this could be. Imagine if some techno-crook 
managed to elbow his way on to the phone line and mimic 
the messages that said, “Lay on the twenties!” 


The answer was cryptography. Though Tuchman had a 
background in information theory, he had never specifically 
done any crypto work. But he soon found out about the 
system that the guys in IBM research at Yorktown Heights 
had cooked up. He ventured down to Watson Labs one day 
and heard Feistel speak about Lucifer. He immediately set 
up a lunch with Feistel and Alan Konheim. The first thing 
Tuchman asked Feistel was where he had gotten the ideas 
for Lucifer. Feistel, in his distinctive German accent, 
mentioned the early papers of Claude Shannon. “The 
Shannon paper reveals all,” he said. 


Meanwhile, Tuchman’s colleague Karl Meyer was 
exploring whether Lucifer might be a good fit for an 
expanded version of the Lloyd’s Cashpoint system. 
Ultimately he and Tuchman concluded that it would 
probably need a number of modifications before it was 


strong enough to rely upon. But it would be a fine 
beginning. And so, they made an arrangement with Alan 
Konheim and his Information Theory Group. Tuchman and 
Meyer’s team at Kingston would build a revised algorithm 
for Lucifer. Then they would send it to Yorktown for 
evaluation and testing. 


The internal name for the cipher was the DSD-1. 


Before this arrangement was approved, however, a top 
IBM executive demanded to know why they were even 
bothering with Lucifer when he knew of a cheaper, faster 
algorithm. Tuchman took this supposedly superior 
algorithm home and broke it over the course of a weekend. 
(He and Meyer eventually published the break in the trade 
magazine Datamation.) Tuchman would often cite this 
triumph as proof that his team knew what it was doing— 
and to ensure that the work wouldn’t be disrupted by 
clueless interference from upstairs. “We can’t deal with 
amateurs in the field,” he remembers telling the muckety- 
mucks high on the corporate food chain. “There’s no cheap 
way out of doing a crypto algorithm. You’ve gotta work, 
work, work. Qualify, qualify, qualify. It’s going to take a long 
time.” 


This was a fairly difficult process because, as Whit Diffie 
could have told the Kingston group, there was pathetically 
little information available on how one could construct a 
modern, military-strength cryptosystem. “All of it was 
Classified,” sighs Tuchman. “But we understood from our 
mathematics classes what makes a cipher hard to solve.” 
His group read everything they could in the library, and, as 
Feistel had predicted, the most helpful papers were those of 
Shannon. And they talked a lot to Feistel himself. But mainly 
they reinvented a lot of what must have been common 
knowledge among the algorithm weavers at Fort George 


Meade. “We sat around in our conference rooms working 
on the blackboard, teaching ourselves,” says Tuchman. 


Ideally, Feistel himself would have been recruited to 
temporarily move to Kingston. Tuchman kept asking 
Konheim, “What does Horst want to do? I'll give him a nice 
desk and his own office, and he can come up here.” 


And Konheim would say, “Nah, I don’t think it'll work out.” 


Tuchman eventually came to understand why. “Horst was 
like a European version of James Stewart in the movie 
Harvey,” he later said. “He was sort of living in a little 
magical world between what happens in a commercial 
business like IBM and his hobbies. I never quite felt that 
Horst understood what the business world—especially the 
high-tech business world—was all about. He was cloistered 
in research in Yorktown, and here we were, these crazy 
guys from Kingston who were actually willing to make 
products, to see if we could do something that made 
money.” 


Konheim agrees that Feistel was oddly misplaced in the 
corporate world and, as time went on, even in the research 
division of that universe. According to Konheim, as Lucifer 
became less and less Feistel’s invention and more the 
commercial product of an IBM division, Feistel would arrive 
at Yorktown later and later in the day. And even then, he 
wouldn't seem to be working on the project, but rather 
spending a lot of time on the phone speaking German. 
Konheim says that Feistel’s elderly aunt had promised him a 
considerable inheritance, and a lot of that phone time was 
spent cultivating her almost fanatically. (According to 
Konheim, it was a bitter disappointment years later when 
she died and left him nothing.) 


And Feistel’s 1973 article for Scientific American—one of 
the most explicit scientific descriptions of crypto presented 
to the public in years—could have been interpreted as a 
rebellion of sorts. Certainly in some quarters such 
frankness about the cryptographic innards of a potential 
IBM product could have more than raised an eyebrow. 
Apparently, the NSA itself objected to the article; years 
later, Feistel would allude to the agency’s unhappiness with 
it, also remarking that if it hadn’t been for the Watergate 
scandal then turning Washington upside down, the NSA 
might have tried to shut down the entire Lucifer project, as 
it had with his previous ventures. 


The Kingston group was blissfully unaware of such 
intrigues. To them, the Lucifer effort was simply a product 
ramp-up. They focused on their goal of modifying the 
system, of increasing its complexity and difficulty so that its 
ciphertext would pass the Shannon tests for apparent 
information randomness. The first step was to set up a list 
of what they called “heuristic qualifiers,” a series of 
mathematical tests that would evaluate the cryptosystem’s 
output—the scrambled message—so that it bore no 
apparent relationship to the original message, appearing to 
be a random collection of letters. In Claude Shannon’s 
terminology, the apparent information content would be 
Zero. 


Feistel’s version of Lucifer certainly attempted to reach 
this ideal but didn’t go far enough. Its strongest feature was 
its two S-boxes, where the trickiest substitutions took place 
—the nonlinear transformations designed to drive 
cryptanalysts batty. So the Kingston team decided that the 
new, improved Lucifer—DSD-1—would have even more 
devious S-boxes. And the number of those would increase 
from Lucifer’s two to a much more formidable eight. 


Complicating that effort were the requirements for 
compactness and speed: “It had to be cheap and it had to 
work fast,” says Tuchman. To fulfill those needs, the entire 
algorithm had to fit on a single chip. So another part of the 
team was a VLSI (Very Large Scale Integration) group, split 
between Kingston and IBM’s Burlington, Vermont, labs, 
whose job was to put the entire scrambling system on a 3- 
micron, single wiring layer chip. If everything worked out, 
IBM would have the tiniest strong-encryption machine ever 
known. 


Working under those constraints, the Kingston team 
constructed the complicated DSD-1, still informally referred 
to as Lucifer. If all went well, their new Lucifer would take a 
64-bit block of plaintext, submit those bits through a 
torturous process of permutation, blocking, expansion, 
blocking, bonding, and substitution involving a digital key, 
and then repeat the process fifteen times more, for a total 
of sixteen rounds. The result would be 64 bits of what 
appeared to be total digital anarchy, a Babel that could only 
be returned to order by someone reversing the encryption 
process by using the digital key that determined how the 
scrambling had been done. 


Then the Watson Lab team would try to attack it, to see if 
things really had gone well. 


Though Horst Feistel was not involved in the actual 
reconstruction of DSD-1, he did help bring his colleagues in 
research up to speed for the testing process. On January 
11, 1973, he gathered five fellow members of the Data 
Security Group at Yorktown Heights and gave them their 
first exposure to the Lucifer cipher. One of the group, Alan 
Tritter (the same eccentric computer scientist who had told 


Whit Diffie about IFF protocols), raised questions as to the 
wisdom of the entire enterprise. Was IBM putting itself at 
risk by vying to be a power in the new world of commercial 
cryptography? What if Lucifer could be cracked? 


Tritter’s comments drew interest because they seemed to 
echo some remarks made, but not proven, by a professor at 
Case Western Reserve University named Edward Glaser. A 
blind man who was one of the endless consultants IBM 
routinely hired with its bottomless budget, Glaser, 
according to Konheim, had blustered that if he were given 
twenty examples of ciphertext, along with the original 
plaintext (this is known as a chosen plaintext attack), he 
could break Lucifer’s system. (It turned out to be a specious 
claim.) 


But the point was well taken, and Tritter repeated it ina 
memo written later that year. “We were/are in an unusually 
exposed position,” he wrote. Noting that the first use of 
Lucifer was already implemented in a Lloyd’s cash terminal, 
he ticked off the consequences that could come if the 
system, like so many seemingly “unbreakable” ones before 
it, was somehow compromised. If someone was able to 
produce a valid key for a Lucifer cipher, he wrote, “a clever, 
resourceful, highly organized attempt to remove illicitly but 
without the use of force the entire cash contents of all the 
terminals in the ‘Cashpoint’ system, say over a single bank 
holiday weekend, would certainly succeed.” 


But such a possible loss was only the beginning of the 
sorts of perils IBM was courting by drawing on crypto’s 
implicit promise of security. With Big Blue’s fat cash 
reserves, it would be no problem replacing even a steep 
stack of twenties to reimburse Lloyd’s. More troublesome 
would be restoring public confidence. And then would come 
the lawsuits. 


“Were the security of [Lucifer] or of any other crypto 
product we may subsequently field to be breached publicly, 
the harm it would do us in the marketplace would be 
incalculable,” wrote Tritter. “And this is in addition to actual 
damages and the very real possibility of exemplary 
damages awarded against us in a lawsuit which would give 
the press, the industry, and the public a field day.” 


On the other hand, how could IBM not pursue 
cryptography? Its business was the information age, and 
without a means of protecting data as they moved from one 
computer to another, IBM would not sell nearly as many 
computers. The lack of cryptography was a potential 
roadblock to the computerization of America—and the 
computerization of the world itself. So on February 5, 1973, 
a high-level meeting was held to review “the status and 
plans of cryptography within the entire IBM corporation.” 
As Tritter later summarized the meeting, “It appeared to be 
broadly agreed ... that IBM was apparently in the crypto 
business for keeps, and would have to acquire a corporate 
expertise in the area. In the meanwhile, attacks on Lucifer 
were to be intensified.” 


An outside expert, Jim Simons of the math department at 
the State University of New York at Stony Brook—who had 
also practiced cryptography at the Institute for Defense 
Analysis, the NSA satellite in Princeton—was recruited to 
organize a concentrated attack on Lucifer. He worked with 
three researchers from Yorktown Heights for about seven 
weeks in the late spring of 1973. Even before he issued his 
report, IBMers were buzzing with the good news: Simons 
and his team hadn’t cracked it. 


“The Lucifer machine is certainly stronger than I had 
originally thought,” Simons wrote in his report of August 
18, 1973. But he didn’t exactly bestow a crypto seal of 


approval on it. “It seems highly improbable that Lucifer will 
be broken by two high school students as part of their 
science fair project,” concluded Simons. “On the other 
hand, there isn’t nearly enough evidence to feel confident 
that it won’t succumb to sophisticated attacks by a 
professional cryptanalyst.” Simons worried that if Lucifer, 
as currently constituted, was put into commercial use, it 
would almost inevitably be used to protect “traffic of 
genuine importance” (like money, or trade secrets), 
providing the incentive to encourage an intense, ultimately 
successful effort to break it. So while Lucifer seemed to be 
a good start for IBM, Simons warned, the company should 
work harder to come up with an improved product. “There 
really is no choice,” he concluded. 


Meanwhile, IBM itself kept wondering if Lucifer was up to 
the task. In a confidential memo in May 1973, its chief 
scientist Lewis Branscombe, summarizing the consensus of 
the firm’s Scientific Advisory Committee, emphasized the 
need for the company to “establish a single cryptographic 
architecture, technology and product strategy.” Lucifer, he 
wrote, was not the only candidate. But later in the month, 
another memo deemed the Kingston scheme superior, with 
one caveat: “Unless there is a clear evidence of a significant 
threshold of vulnerability.” 


The tests continued for months, conducted by private- 
sector researchers hired by IBM. “Alan would give them the 
algorithm and Say, ‘Break it. Just go break it.’ And Alan kept 
reporting back that nobody could find a shortcut,” says 
Tuchman. “Finally I reached that magical psychological 
place where I figured this thing doesn’t have a shortcut, so 
there is just no shortcut solution. Forget it, guys, let’s 
concentrate on implementing the product now.” 


Still, compared to the world-class codebreakers behind 
the Triple Fence, most of the math professors hired to bang 
their heads against Lucifer were Little Leaguers. How could 
IBM be sure the scheme was really sound? They certainly 
didn’t want to find out its vulnerabilities by discovering that 
one day some former KGB cryptanalyst hired by the Mafia 
had cleaned out their virtual cash vault. 


At the beginning of 1974, Tuchman figured his team was 
about halfway through its work. “We had a pretty good idea 
how much algorithm we could get on a single chip,” he says. 
And much of that algorithm was written. But two things 
happened that year that would profoundly affect the 
project. The first would throw it open to the public. The 
second would cast a clandestine shadow over it that would 
last for a generation. 


IBM was not the only institution aware of the vital need 
for cryptographic protection in the computer age. That view 
was also shared at the National Bureau of Standards, the 
government agency in charge of establishing commonly 
accepted industry standards for a wide variety of 
commercial purposes. The bureaucrats and scientists there 
believed that digital protection should be centered ina 
single system, one well-tested means of encrypting 
information that would be accessible by all. So NBS decided 
to solicit proposals for a standard cryptographic algorithm. 
(The NSA declined to submit one of its own ciphers, since 
allowing outsiders to examine its work was unthinkable.) In 
the May 15, 1973, Federal Register, the NBS listed a 
number of exacting criteria that such a standard should 
meet. 


Not surprisingly, the NBS received no submissions at that 
time that even vaguely met the criteria. By and large the 
only cryptographers in this country who had the 
wherewithal and expertise to meet this challenge were 
working behind the Triple Fence. And the work done there 
was never published, never revealed. 


But there was one cryptosystem in development that 
seemed to fit a lot of the government’s needs: Lucifer, the 
DSD-1. Lewis Branscombe, IBM’s chief scientist—who, not 
coincidentally, was himself a former head of the NBS—in 
particular felt that this work in progress might be an 
excellent candidate for the encryption standard for the next 
generation. 


Walt Tuchman was against the idea, primarily because of 
the trade-off involved in submitting the revised Lucifer as a 
federal standard: IBM would be required to relinquish its 
patent rights, essentially giving—not selling—the algorithm 
to the world. “I was this typical capitalistic product 
manager,” he explains. “I’m in this thing to make money, not 
to foster some great social improvement.” He argued his 
point before IBM’s high-level executive Paul Rizzo, who was 
then Big Blue’s number two. Branscombe presented the 
other point of view: make it public. Finally, Rizzo weighed 
in. Lucifer, he argued, was like a safety component that 
benefited all of society. If the Ford Motor Company came up 
with a seat belt superior to those of its competitors, one 
that saved the lives of moms and dads, would they allow 
General Motors to use it? You better believe they would, 
because it was the right thing to do. Jimmy Stewart 
couldn’t have topped that homily. You could almost hear the 
violins playing. The speech convinced not only the IBM 
board, but Tuchman himself, who called a staff meeting 
when he returned to Kingston. “Well, guys,” he said, “we’re 
going to give the stuff away.” 


Not completely, of course. The ways they built Lucifer into 
a chip, the ways they would implement it within a full- 
featured solution, the little tricks to get the most of it... 
these would be great selling points for IBM-created 
versions of the DSD-1. Other companies would get access 
just to the algorithm itself. So maybe it wasn’t such a bad 
idea from a business perspective to give the thing away. 


The feeling at IBM was that merely submitting its work to 
the NBS was sufficient to fast-track DSD-1 toward a 
coronation as the standard. Even though the response date 
for the NBS’s request for crypto algorithms in 1973 had 
long expired, Branscombe wrote to his NBS successor Ruth 
Davis in July 1974, offering what he described as the “Key- 
Controlled Cryptographic Algorithm,” developed at 
Kingston, as a candidate. With this favored new candidate 
already in hand, the NBS, somewhat superfluously reissued 
its request for crypto algorithms in the August 27, 1974, 
Federal Register. No serious competitor emerged. And thus 
the revised Lucifer, a.k.a. DSD-1, was destined to be known 
by a lofty, though generic, moniker: the Data Encryption 
Standard. The title would eventually become so familiar 
among the digital cognoscenti that it would be pronounced 
not as an acronym but as a single phoneme: Dez. 


By then, the other crucial process in Lucifer’s 
transformation was well under way. It had been fairly early 
in 1974 when Walt Tuchman received what he later would 
refer to as “that deadly phone call.” It was his boss, telling 
him he had to take a trip down to the National Security 
Agency to cool them down about Lucifer. 


Tuchman didn’t like it. But he understood the importance 
of playing ball with Uncle Sam. By creating a cryptographic 


product for the commercial sector, IBM was treading on 
strange turf. If the company didn’t get export clearance to 
send its crypto chip to its international customers, the 
whole product might as well be scrapped. What good was a 
product for a global company like IBM if you couldn’t sell it 
to the global market? 


So Tuchman went on his first visit to The Fort. He 
eyeballed the Triple Fence, contemplated the armed marine 
guards, parked in the visitors’ lot, and entered the small 
concrete building where outsiders lacking previous 
clearance fill in a stack of papers and wait to be called. 
Then an elderly woman appeared and guided him through a 
labyrinth of hallways to the second-level manager assigned 
to the case, a guy just below the deputy-director level. He 
was not in a military uniform or even in a suit. And he 
quickly proposed a quid pro quo: We want to control the 
implementation of this system. You will develop it in secret, 
and we will monitor your progress and suggest changes. 
We don’t want it shipped in software code—just chips. 
Furthermore, we don’t want it shipped to certain countries 
at all, and we will allow you to ship it to countries on the 
approved list only if you obtain a license to do so. That 
license will be dependent on customers we approve signing 
a document vowing that they will not subsequently ship the 
product to anyone else. 


This went on for a while, until Tuchman finally had a 
chance to speak. “What’s the pro quo of the quid pro quo?” 
he asked. After all, the NSA man had focused entirely on 
restrictions and conditions, and had neglected to mention 
what IBM would receive for its troubles. 


“The pro quo will be something very useful to you,” said 
the NSA man. The agency itself would qualify the algorithm. 
Their all-star cryptanalysts would analyze it and bang away 


at it. If there was a weakness, it could be noted and 
corrected. And when the mathematical dust settled, IBM 
would have a priceless imprimatur, one that would assure 
the instant confidence of its customers: the National 
Security Agency Good Secret-Keeping Seal. 


This was a powerful offer. It spoke directly to Tuchman’s 
greatest fear—that outlaw codebreakers would discover a 
shortcut solution that would allow them to steal secrets and 
even money from IBM customers, thus exposing the fabled 
computer giant to international embarrassment and a legal 
Armageddon. Instead of having to rely on the smart but 
inexperienced amateurs at Yorktown and the random 
consultants they hired, IBM would have the ultimate in due 
diligence: the cryptanalysis gold standard. As soon as he 
returned from Fort Meade, he went to see his boss and 
urged him, “Let’s do it. Let’s work with these guys.” It was a 
solution that felt good to the top IBMers, who, after all, 
were virtually synonymous with the “Establishment.” So, 
just like that, the country’s single most important 
cryptographic effort in the private sector—save for that of 
Whit Diffie, still in obscurity struggling at Stanford with his 
weird ideas about one-way functions—came under the 
friendly but firm embrace of the National Security Agency. 


Unspoken was the question as to whether the NSA— 
which after all was not an arm of the Commerce 
Department but an intelligence agency, the ultimate spook 
palace—might discover a gaping weakness in DES but keep 
its collective mouth shut, smug in the knowledge that it 
could use that shortcut to quickly break messages 
encrypted in the IBM code. Tuchman understood the risk of 
this. As the development process unfolded over the next few 
months and years, he watched for signs that this might be 
happening. Ultimately, he was convinced of the NSA’s 
sincerity. “If they fooled me,” he says, “I will go to my grave 


being fooled. I looked at those guys eyeball to eyeball. I’m a 
bit of a film buff, and I’ve seen good acting and poor acting. 
And if the NSA people fooled me, they missed their 
profession. They should’ve gone to Hollywood and become 
actors.” 


From that point on, DES’s development process became, 
for all practical purposes, a virtual annex within the Triple 
Fence. The government issued a secrecy order on Horst 
Feistel’s Lucifer patent, known as “Variant Key Matrix 
Cipher System.” On April 17, 1974, an IBM patent attorney 
sent a memo to the crypto teams at Yorktown Heights and 
Kingston explaining that this meant there would be not only 
no publishing on the subject, but no public discussion 
whatsoever without the written consent of the 
Commissioner of Patents. Even the fact that a secrecy order 
existed was itself considered a secret, and talking about 
that was just as serious a crime as handing out encryption 
algorithms in the departure lounge at Kennedy Airport. A 
loose lip could result in a $10,000 fine, two years in prison, 
or both. Fortunately, the memo explained, “IBM has been 
granted a special permit which allows the disclosure of the 
subject matter in the application to the minimum necessary 
number of persons of known loyalty and discretion, 
employed by or working with IBM, whose duties involve 
cooperation in the development, manufacture, or use of the 
subject matter.” Without that exemption, of course, IBM 
could not have continued its effort, because of the obvious 
difficulty of collaborating on a project when one risked a jail 
term for admitting its existence to a co-worker. 


The NSA’s demands for secrecy were particularly rigid 
concerning the agency’s cryptanalysis of DES. Anything— 
anything—that shed light on the way that The Fort’s 
codebreakers went about their business was regarded as 
the blackest of black information. The agreement drawn 


between the agency and the corporation clearly outlined 
the limited nature of what IBM’s scientists could glean from 
the collaboration. IBM was strictly required to limit those 
who were involved in the evaluation, and to keep up-to-date 
lists of those people. Any contact between Big Blue and Big 
Snoop would come at a series of briefings with rules as 
circumscribed as a Kabuki performance: IBM would 
essentially present information, and the NSA people would 
silently evaluate it. No geeky chatter: the NSA people were 
formally prohibited “from entering into technical 
discussions with IBM representatives in regard to the 
information presented.” Afterward, the NSA folks would 
hold postmortems to determine whether the IBM scientists 
might have stumbled on information or techniques “of a 
sensitive nature.” In that case NSA would then formally 
notify the company, and IBM would keep the information 
under wraps. 


The NSA certainly did know its stuff. It was particularly 
interested in a technique discovered by the IBM 
researchers that was referred to at Watson labs as the “T 
Attack.” Later it would be known as “differential 
cryptanalysis.” This was a complicated series of 
mathematical assaults that required lots of chosen plaintext 
(meaning that the attacker needed to have matched sets of 
original dispatches and encrypted output). Sometime that 
year, the Watson researchers had discovered that, under 
certain conditions, the IBM cipher could fall prey to a T 
Attack—a successful foray could actually allow a foe to 
divine the bits of the key. To prevent such an assault, the 
IBM team had redesigned the S-boxes. After the redesign, 
under even the most favorable conditions, a T Attack would 
provide a cracker only a slight, virtually insignificant 
advantage. 


Hearing about this unhinged the NSA crowd. Apparently, 
the T Attack was very well known—and highly classified— 
behind the Triple Fence. So imagine the agency’s dismay 
when the IBM team not only discovered the trick (which, 
presumably, the NSA had been merrily employing to crack 
enemy codes) but had created a set of design principles to 
defend against it. The crypto soldiers at Fort Meade could 
not tolerate the possibility that such information might leak 
into the general literature. And so the NSA put its secrecy 
clamp down harder on IBM. 


“They asked us to stamp all our documents confidential,” 
says Tuchman. “We actually put a number on each one and 
locked them up in safes, because they were considered U.S. 
government classified. They said do it. So I did it.” 


The man who probably did the most work for IBM on the 
T Attack, Don Coppersmith, would not discuss the issue for 
twenty years. It was not until 1994, long after other 
researchers had independently discovered and described 
the technique, that he divulged the S-box design principles. 
“After discussions with the NSA,” he explained in a 
technical article for the IBM Research Journal, “it was 
decided that the disclosure of the design considerations 
would reveal the technique of differential cryptanalysis, a 
powerful technique that can be used against many ciphers. 
This in turn would weaken the competitive advantage the 
United States enjoyed over other countries in the field of 
cryptography.” 


Ultimately, IBM got what it wanted for DES—a clean bill 
of health from the NSA. (This was also a crucial factor in the 
process by which the National Bureau of Standards would 
place its imprimatur on DES as a federal standard.) But 
IBM paid a steep price for adhering to the NSA’s demands 
to keep its S-box design principles secret. The behavior of 


the S-boxes in the DES system involved complicated 
substitutions and permutations that put Rube Goldberg to 
shame. The best way that outsiders could evaluate whether 
those bizarre transformations were done simply to produce 
a tougher cipher—or were clandestinely jimmied to put ina 
back door by which the NSA could secretly get a head-start 
on codebreaking—was to know why the designers chose 
their formulas. So IBM’s refusal to explain the logic behind 
the S-box design encouraged critics like Diffie and Hellman 
to let their suspicions run wild and entertain all sorts of 
theories about secret back doors. 


Telling people that a presumably public algorithm was 
based on secret designs was a recipe for paranoia, and 
indeed, the resulting dish nourished critics for years. But to 
the NSA, this point was nonnegotiable. The Fort Meade 
brain trust might have considered it a necessary evil to 
allow a strong crypto algorithm into the world of banks and 
corporations. But permitting the release of sophisticated 
techniques that might encourage outsiders to bulletproof 
their own codes... well, that was quite unacceptable. 


The whole episode turned out to embody in a nutshell a 
dilemma that the NSA had yet to acknowledge, even to 
itself. For years, people at The Fort could be reasonably 
confident that when they devised a breakthrough technique 
like differential cryptanalysis, such information would be 
unlikely to tumble into the public domain. Those days were 
over. Consider that the IBM group had come across the T 
Attack on its own, without the help of government. 
Differential cryptanalysis was ultimately a mathematical 
technique just waiting to be rediscovered by someone 
outside the Triple Fence interested in sophisticated codes. 
The NSA couldn’t hold on to such mathematical 
machinations any more than an astronomer discovering a 


previously unknown nebula could cover up the skies to 
mask its presence to future stargazers. 


This was to be the reality of the dawning era of public 
crypto: whether the NSA liked it or not, bright minds were 
inevitably going to reinvent the techniques and ideas that 
had been formerly quarantined at Fort Meade—and maybe 
come up with some ideas never contemplated even by the 
elite cryptographers behind the Triple Fence. 


S-boxes aside, the most controversial feature of DES would 
be its key length. Horst Feistel’s Lucifer specified a 128-bit 
key. But clearly the National Security Agency did not want 
the national encryption standard—even if it were used only 
by financial institutions and corporations—to lock 
information within such a mighty safe. By the time the 
algorithm had threaded its way through the Triple Fence 
and was released as a potential NBS standard, the key 
length had been cut in half, and then cut some more, down 
to the relatively paltry 56 bits. 


It’s hard to exaggerate the difference this makes. Assume 
that a codebreaker trying to crack DES is unable to 
discover any shortcuts to cracking. The only way that an 
intruder can recover an encrypted message, then, is to 
launch a brute-force attack, experimenting with every 
possible key combination until he finds the one that was 
used to scramble the original. Such a search is the 
equivalent of a safecracker painstakingly twisting the dial to 
stumble upon the exact series of numbers that would align 
the tumblers. Even with a computer twisting the virtual 
dials at high speed, a very large “keyspace” (a numerical 
range that contains all possible key combinations) can make 
such a search impossible to pull off. A 128-bit key is very, 


very large. If a computer tried one million keys every 
second—a million different combinations of the numbers on 
the safe dial—it would take aeons to try every possible key. 


So what would be the effect of cutting the key size in half? 
To assess this, you have to keep in mind the nature of digital 
numbers. Each bit in a binary key is like a fork in the road 
that a codebreaker must negotiate in order to get to the 
destination of the correct combination of ones and zeros. 
Every fork presents a random choice between the correct 
turn and the wrong turn; a 128-bit key means that you have 
to guess the correct way to turn 128 times in a row. To 
make the course twice as difficult, you simply have to add 
one more fork; then you’ve created twice as many possible 
paths to negotiate, but still only one is correct. But to make 
the course half as difficult, you don’t divide the number of 
forks by two, but simply remove one. 


That’s why removing a single bit from the key size means 
that the encrypted message is only half as safe as it was 
before. Switching from a 128-bit key to a 127-bit key means 
you’re cutting by half the work factor to break it. If you cut 
the key size one more bit, to 126 bits, then you’ve halved 
that key. And so on. 


According to Tuchman, the Kingston group figured that a 
128-bit key was not only overkill but would require too 
much chip space and computation. “We had to fit the whole 
algorithm on there,” says Tuchman. “The S-boxes, 
everything. We were using two-micron CMOS chips, and the 
data coming in could only be 8 bytes wide [one byte equals 
eight bits]. So our first key length was 64 bits.” Sixty-four 
bits was a good fit for a chip, a number divisible by the 
eight-bit bytes. 


This was quite a dramatic reduction. It cut down the time 
required for a full search on the theoretical million-keys-a- 
second computer from billions of years to around 300,000. 
Still, a 64-bit key length was considerable in the mid-1970s, 
especially since it was agreed that computer technology 
would not be sufficiently advanced to conduct searches at 
such speeds for the next couple of decades. 


But then the Kingston group made a seemingly 
inexplicable second cut, to the mathematically awkward key 
length of 56 bits. And suddenly, the possibility of a brute- 
force attack was smack in the picture. Why did a lousy eight 
bits make such a difference? Remember, every time the key 
is reduced by a single bit, it becomes twice as easy to crack. 
So this eight-bit loss made the cipher 256 times easier to 
crack: from 300,000 years to a little over a thousand. Put 
another way: the percentage of key space that formerly 
would have occupied a foe’s computers from January to 
August could now be scanned in less than a day. 


What was IBM’s explanation for this? According to 
Tuchman, it was standard company practice in hardware 
design to allow a certain number of extra bits for “parity 
checks,” a sort of synchronization to make sure that the 
electronic signals were being properly read. “It was an IBM 
internal spec,” he says, at the same time admitting that it 
was a “foolish” requirement. “We don’t do that anymore, 
but at the time we had a standard—so I had to reduce the 
key size [to accommodate the extra bits].” 


Tuchman didn’t think that this further cut really 
compromised DES. (Privately disagreeing with this was 
Horst Feistel, who still preferred a 128-bit key. But he was 
no longer actively involved with the project and would soon 
be quietly eased out of IBM itself.) Tuchman and his 
colleague Karl Meyer believed that a 56-bit key, with its 70 


quadrillion variations, was more than sufficient for the 
commercial, even the financial, secrets that DES would 
protect. The idea of DES, Tuchman would argue, was to 
provide computer networks the level of security that people 
had in their physical workplaces: “locked desk drawers, 
locked doors on computer rooms, and loyal, well-behaved 
employees.” Not the military secrets customarily 
transported in exploding briefcases handcuffed to couriers 
or entrusted to spies who were taught to ingest poison pills 
upon capture. 


Others, however, have always believed that the reduction 
was caused by NSA pressure. This even included skeptics 
inside IBM, like Alan Konheim, who headed the 
mathematical team on the DES project. “Fifty-six bits is 
very unnatural,” says Konheim, obviously disregarding 
Tuchman’s “parity check” explanation. “The government 
[must have] said, ‘Listen, 64 bits is too much—make it 56.’” 
Why would IBM go along with it? “You see, IBM does 
business all over the world. It can’t send a pencil outside 
the United States without an export license. Not only that, 
when [the NSA invokes] patriotism and national security, 
well, these are not things you can argue about.” 


To outsiders like Martin Hellman and Whit Diffie, of 
course, the key size was a smoking gun that proved the 
NSA had weakened the standard for its own nefarious 
purposes. In the months after the standard was first 
announced, the Stanford cryptographers wrote a steady 
stream of suggestions and objections to their contact at the 
National Bureau of Standards—and became increasingly 
frustrated that the officials kept insisting that there was no 
problem. Hellman came to believe that the NBS wasn’t 
speaking for itself but was acting as a stooge for Fort 
Meade. 


To prove his point about the weakness of the key size, 
Hellman challenged an executive he knew at IBM to 
contradict his and Diffie’s contention that this DES key 
could actually fall in a day to a sophisticated, high-powered 
machine. At this point, the Stanford researchers were 
postulating that such a machine could be built for $20 
million. Thus, if one key were broken each day, over a five- 
year period the price of breaking each key would be around 
$10,000. Not a bad investment if some of the broken 
messages included precious data like oil reserve locations 
and corporate merger plans—such information was worth 
millions. “But even if we were off by a whole order of 
magnitude, and it would cost $100,000, that wouldn’t 
matter,” says Hellman. “Because in five years computers 
would be ten times faster, and the solution would cost only a 
tenth as much as it would now.” According to Hellman, the 
IBM executive ordered his own researchers to investigate. 
“He called me back and said that their numbers were in the 
same ballpark as ours,” says Hellman. “That was his exact 
word, the ‘ballpark.’ But he told me that the key size was 
set by the NBS, not IBM.” 


Meanwhile, officials at the NBS were assuring Hellman, in 
their responses to his frequent, increasingly pointed letters, 
that their own studies showed that a machine like the one 
envisioned by Hellman would take all of ninety-one years to 
search through a DES keyspace. Obviously, they were not 
playing in the same ballpark. 


Hellman believed that all of this was bald evidence that 
the Data Encryption Standard was a swindle from the start. 
It was all the NSA’s master plan. The supposedly benign 
NBS—acting as the NSA’s public face—allowed IBM to 
construct its algorithm independently. This gave it 
deniability: Hey, it wasn’t us spooks who cooked it up, Big 
Blue did. But by getting IBM to cut the key size to an 


infuriatingly puny 56 bits, the spooks got what they wanted 
anyway. “They knew they could control the key size, which 
would ultimately control the strength of the standard,” 
complains Hellman. 


And that was the kindest interpretation. If you wanted to 
be skeptical—and like any good cryptographer, Hellman 
and his colleagues were plenty skeptical—you’d still wonder 
about the possibility of an actual trapdoor that would allow 
the Fort Meade tricksters to decode a DES message within 
seconds. Why else were they keeping the design principles 
a secret? 


In any case Hellman rejected the government’s ninety- 
one-year estimate and decided to go over the heads of the 
NBS functionaries with whom he was corresponding. On 
February 23, 1976, Hellman stated his complaints in a 
letter to Elliot Richardson, who, as secretary of commerce, 
was the ultimate boss of the NBS: 


I am writing to you because I am very worried 
that the National Security Agency has 
surreptitiously influenced the National Bureau 
of Standards in a way which seriously limited 
the value of a proposed standard, and which 
may pose a threat to individual privacy. I refer 
to the proposed Data Encryption Standard, 
intended for protecting confidential or private 
data used by non-military federal agencies. It 
will also undoubtedly become a de facto 
standard in the commercial world. 

... Lam convinced that NSA in its role of 
helping NBS design and evaluate possible 
standards has ensured that the proposed 
standard is breakable by NSA. 


The response Hellman received from Ernest Ambler, the 
acting director of the NBS, did little to cool him down. 
Instead of answering Hellman’s charges directly, Ambler 
gave some general comments defending DES, and praised 
the NSA for its contributions in certifying the algorithm. He 
helpfully attached an executive order which outlined “the 
functions and responsibilities of NSA.” Monkeying with 
private-sector algorithms didn’t make the list. 


That summer, Hellman, Diffie, and five other academics 
took a month to bang on the system and produced a paper 
called “Results of an Initial Attempt to Cryptanalyze the 
NBS Data Encryption Standard.” They were 
straightforward about their concerns: any algorithm 
approved by the NSA was “mildly suspect a priori” because 
“the NSA does not want a genuinely strong system to 
frustrate its cryptanalytic intelligence operations.” It was 
not surprising, then, that while falling far short of actually 
breaking a DES key, they concluded that the system could 
not be trusted. Besides the key strength, they found what 
they considered a “suspicious structure” in the S-boxes— 
possibly, they wrote, “the result ofa... deliberately set 
trapdoor.” 


To IBM’s Walt Tuchman, though, the Diffie-Hellman 
complaints were a travesty born of paranoia and ignorance. 
He was no secret agent—he was a product guy—and to the 
best of his ability, he’d led a team to create a good product! 
It had been a happy day for his team when the first two 
DES devices were completed. They were shoe-box-sized 
metal cases stuffed with chips that went between a 
mainframe computer and a modem. Such a device on each 
end of a data transfer would allow two computers to 
communicate in a secret stream, impervious to 
eavesdroppers—no matter what Marty Hellman said. One 
box was sent to IBM’s Paris headquarters, the other to Lew 


Branscombe’s office in Armonk. Then they made some 
history. The Paris office sent off an encrypted message to 
the Armonk machine. The Armonk machine, having been 
previously fed the symmetrical key that performed both 
encryption and decryption, deciphered the message back to 
its original form. “It went to a little printer and the message 
was printed in all the IBM newspapers,” recalls Tuchman. 
“It was some innocuous little message, of course, because 
everybody knew it was going to be published in the clear.” 


All that happiness, though, was tempered by the attacks 
that came from Hellman and friends. Tuchman and his 
colleague Karl Meyer had to defend themselves at two 
public workshops sponsored by the NBS. The second, held 
in September 1976 at the NBS’s Gaithersburg, Maryland, 
headquarters, was the most contentious. J didn’t do 
anything wrong! insisted Tuchman. The key size was plenty 
big enough, and building a machine to crack DES would not 
take Hellman’s low-seven-figure pricetag, but a cool $200 
million. And if that key size wasn’t large enough, people 
could design devices to run DES through its paces twice, 
with two different keys. Though such a process might be 
difficult to set up, this would effectively double the key size 
to 112 bits—enough keyspace to confound every damned 
computer on the planet for the next gajillion years. 
(Eventually, a process would emerge called “Triple DES,” 
which would use three keys and rule out even the most 
extravagantly brutish of attacks. But all of this was a moot 
point because the version of DES with the allegedly hobbled 
56 bits was the one proposed for the standard.) 


Tuchman’s appeal failed to quiet the critics. Why didn’t 
you publish the design heuristics? they wanted to know. Did 
you put a trapdoor in DES? 


Then came the newspapers. “Those professors told the 
New York Times and the Washington Post ,” Tuchman 
complains. The next thing he knew, at IBM’s request, 
Tuchman himself was being interviewed. After taking a 
gander at the newly famous desks of Woodward and 
Bernstein, he told the Post reporter the same thing he told 
the Times reporter: The NSA didn’t modify the algorithm. 
They didn’t put a trapdoor in. Look, you guys, it’s 
ridiculous; we’re not going to risk the entire IBM company 
by putting a trapdoor in its product. 


Even so, the publicity took its toll. It was bad enough that 
the Times, the Post, and the Wall Street Journal were 
listening to Hellman and the critics. Worse came when 
Tuchman’s own mother called him from her retirement 
home in Florida, concerned with what friends had been 
telling her after reading the New York papers. She pleaded 
with her son, who had started life so wonderfully as a whip- 
smart college boy from Brooklyn: Please, Walter, leave IBM 
and stop hanging around with those bad people. Tuchman 
had to explain to her that he wasn’t going to wind up ina 
jail cell with Ehrlichman and Haldeman—he was a good 
guy! 


After the publicity came hearings by the Senate 
Intelligence Committee. These top-secret sessions were 
closed, and the final report was classified. But a summary 
was issued for the general public, too. Its contents provided 
ammunition to both sides. 


On one hand, Hellman was proved correct in asserting 
who the power was that dictated the 56-bit key: “The NSA 
convinced IBM that a reduced key size was sufficient,” the 
report read. The reduction wasn’t, as Tuchman still insists, 
due to the rigor of chip design or the need for parity 
checks: it was the fact that the government wouldn’t 


tolerate anything more. IBM knew that it would need 
export licenses for approved customers. But the NSA, 
which had been charged to collaborate with the National 
Bureau of Standards in evaluating DES as a government 
standard, certainly was not going to rubber-stamp an 
algorithm that used, in its view, too long a key. Apparently, 
the 56-bit key length provided the NSA a certain comfort 
level. Though the work factor to break a cipher of that 
length seemed dauntingly high, it was clear that if anyone 
could contemplate a brute-force attack on DES, it was the 
National Security Agency itself, with what were assumed to 
be literally acres of computers in its top-secret basement. 
Obviously, while an ideal code for users was the strongest 
one possible, the ideal code for the NSA’s purposes would 
be one that was too powerful for criminals and other foes to 
break, but just weak enough to be broken by the billions of 
subterranean computer cycles at Fort Meade. Did a 56-bit 
key fit into that sweet spot? The NSA didn’t say. And never 
would. 


Despite its conclusion that the key size was a result of 
NSA demands, the committee concluded that there was no 
wrongdoing by either IBM or the government. The Data 
Encryption Standard had been determined fairly. Like it or 
not, this was something that Marty Hellman and his friends 
would have to accept. 


It took years, but eventually they not only accepted it, but 
came to eat some crow. As Walt Tuchman proudly notes, for 
more than two decades after the algorithm was formally 
accepted as a standard in 1977, no one had been successful 
at finding a significant shortcut to cracking a DES- 
encrypted message. (Of course, if the NSA had done so, it 
would never have admitted it.) 


In 1990, outside cryptanalysts revealed the technique of 
what was called differential cryptanalysis, proving that 
under certain (admittedly rare) conditions, one could crack 
a DES key using slightly less computation than a brute- 
force attack would require. But this was essentially the “T 
Attack,” discovered by IBM during the development process 
in time to fortify the algorithm against such assault. And 
kept confidential at the NSA’s request. (A different group of 
researchers introduced another theoretical attack on DES, 
linear cryptanalysis, in 1993—but neither did it truly 
compromise the cipher.) 


So if the key size was indeed the only point of attack in 
DES—if one had to devote massive computational resources 
to breaking a single message and then wait for days, weeks, 
or months for the cipher to crumble—then the National 
Security Agency had certified what could be an 
extraordinarily powerful tool for the spread of strong 
encryption throughout the land, and maybe even the world. 
It had always been the impression of the folks behind the 
Triple Fence that the users of DES would be conservative, 
trustworthy institutions like banks and financial 
clearinghouses. They misjudged the situation. Instead, the 
development of DES marked the beginning of a new era of 
cheap, effective means of using computer power to keep 
personal information private. It was used not only in banks 
but in all sorts of commercial communications, and was 
widely available to private communications, too. Though the 
NSA still controlled its export, it quickly grew unfettered 
within U.S. borders. And while U.S. producers could not 
market DES overseas, the algorithm itself would find its 
way overseas, allowing foreign developers to make their 
Own versions. 


The dawning of this era of increased protection might 
have pleased some of the people in the communications 


security branch of the NSA, which was in charge of 
securing American data as they moved around the globe. 
But it was already causing conniptions among those in the 
signals intelligence area, the people whose job it is to make 
sure that our guys can quickly intercept and circulate all 
the rich and fascinating information buzzing around the 
globe as electronic blips. If those blips were encrypted, and 
thus not easily read, well, then, that would be a problem. 
Making things even worse were the faster and cheaper 
computer technologies that made it feasible—made it the 
rule, in fact—for DES users to switch keys not every few 
months as the NSA assumed they might, but on a daily basis 
or even more often than that. 


Yes, the Data Encryption Standard was a problem for The 
Fort. Years later even Martin Hellman came to realize that 
his attacks sometimes were based more on bravado than 
substance. “They were Darth Vader and I was Luke 
Skywalker,” he says. “I was bearding the NSA, and that’s a 
pretty heady thing for a young guy to be involved in.” Now, 
however, he admits that there were two sides to the issue: 
that DES, despite its key size, was strong enough to provide 
a measure of security to people, and that even though the 
NSA could presumably marshal the resources to brute- 
force a DES key into submission, the process was certainly 
more cumbersome and costly than simply reading an 
unencrypted intercept. DES was the NSA’s first lesson that 
the new age of computer security was going to complicate 
its life considerably—perhaps even to the point of shaking 
the entire institution. 


Alan Konheim thinks that the bottom line on DES came 
from Howard Rosenblum. He was the deputy director for 
research and development at the NSA, where football fields 
of mainframe computers cracked the codes of the country’s 
friends and enemies and tested the codes that potentially 


protected our own secrets. One day, Rosenblum and 
Konheim were talking about DES, and the NSA official 
made an off-the-cuff remark that stayed with Konheim for 
years. “You did too good a job,” he said. 


“Tt was not,” Konheim says delightedly, “a comment of 
flattery.” 


public key 


Though Whit Diffie and Marty Hellman regarded the Data 
Encryption Standard as a tainted and possibly fraudulent 
gambit by IBM and the United States government, its 
introduction was in a strange way an important gift to the 
Stanford researchers. By combing through the available 
technical data on the proposed standard—and speculating 
on what was not made public—Diffie and Hellman had a 
new prism through which to consider their own efforts. 
Ever since Diffie had heard the first reports of the 
government standard, at a 1974 chowdown at Louie’s, the 
Chinese restaurant where Stanford geeks congregated, he 
had wondered about the possibility of an NSA trapdoor. 
This led him to a deeper consideration of the concept of 
trapdoors. Could an entire crypto scheme be built around 
one? 


Designing such a system would present considerable 
challenges, because it would have to resolve a fundamental 
contradiction. A trapdoor provides a means for those with 
proper knowledge to bypass security measures and get 
quick access to encrypted messages, something that seems 
efficient. But the very thought of using a trapdoor ina 
security system seems like a nutty risk, precisely because 
crafty intruders might find a way to exploit it. It’s the same 
problem posed by a physical trapdoor: if your enemies can’t 
find it, you can use it to hide. But if they do, they’ll know 
exactly where to look for you. 


This contradiction made the prospect of designing a 
trapdoor scheme incredibly daunting. After all, the 
strongest cryptosystems were finely tuned in every aspect 
to prevent their contents from leaking. Tampering with 
their innards to insert a back door—a leak!—could easily 
produce any number of unintended weaknesses. When 
Diffie explained this to Hellman, both of them concluded 
that such a system would probably be impractical. But Diffie 
still thought it was interesting enough to add to a list he 
was compiling entitled “Problems for an Ambitious Theory 
of Cryptography.” 


Still, in early 1975, for all of Diffie’s Sisyphean labors, 
even with the fruitful collaboration with Hellman, weeks 
were going by and he didn’t seem to be getting anywhere. 
Was all his work at learning crypto against terrific odds 
going to lead to nothing? Hellman at least had a job. But 
Diffie had nothing. Though his house-sitting stint for John 
McCarthy was pleasant enough, he was now over thirty 
years old, making peanuts at his research job, and it was 
clear that he could never cope with the nit-picking hurdles 
one had to jump before earning a doctorate. Though Diffie 
was by nature cheerful, these ruminations were bringing 
him down. 


Mary Fischer recalls the lowest point. One day she walked 
into the McCarthys’ bedroom and found Diffie with his head 
in his hands, weeping. “I asked him what was wrong,” she 
says, “and he told me he was never going to amount to 
anything, that I should find someone else, that he was—and 
I remember this exact term—a broken-down old 
researcher.” 


She tried to comfort him. She told him that the world 
didn’t know it yet, but he was a great man. Mary had been 
studying Egyptology, and she explained that the ancient 
Egyptians made a distinction between acquired and innate 
characteristics. She believed “greatness” must be one of 
those traits that were not acquired—it was just there, and 
one could see it in such a person. “I know what I’m looking 
at,” she told him, “and I know you’re a great man.” 


Whit Diffie did not feel like a great man. He felt like a 
failure. 


One day Diffie and Hellman brought in a Berkeley 
computer scientist named Peter Blatman to attend one of 
the informal seminars on crypto they had been convening 
on campus. Afterward, as Diffie drove him to the Stanford 
AI lab a few miles away, Blatman mentioned that a friend of 
his named Ralph Merkle was working on an interesting 
problem: how can you get a secure conversation over an 
insecure line when the two people in the conversation have 
never had previous contact? Obviously, if the two people 
hadn’t known each other previously they would have had no 
opportunity to exchange secret keys before a private 
conversation. 


This was, in effect, a different formulation of the big 
question that had been bugging Diffie for years: was it 
possible to use cryptography to protect a huge network 


against eavesdroppers, and wiretappers to boot? (More 
subtly, it reflected Mary’s observation of his dilemma: in a 
world of untrustworthy people, how do you maintain 
intimate contact with the one person you trust?) Because 
Diffie had enjoyed so little success at attacking that 
problem, he argued to Blatman that his friend’s scheme 
was in fact impossible. Diffie thinks that his outburst even 
convinced Blatman. But even as Diffie passionately argued 
the impossibility of such a feat, he secretly believed 
otherwise, and his mind was racing to figure it out. It was 
almost as if he needed there to be such a solution. 


How could you create a system where people who had 
never met could speak securely? Where all conversations 
could be conducted with high-tech efficiency—but be 
protected by cryptography? Where you could get an 
electronic message from someone and be sure it came from 
the person whose return address appeared? 


During his quest, Diffie had struggled to gather 
information in an atmosphere where almost all of it was 
classified. And he had wound up with more than anyone 
could have expected: one-way functions. Password 
protections. Identification Friend or Foe. Trapdoors. 
Somewhere in all of that had to be an answer to privacy. 
Diffie knew that reconciling the different protections 
offered by these disparate systems was crucial to his quest. 
As he thought more, he began to understand how you might 
be able to use some of those techniques to verify someone’s 
identity. He began mentally constructing a means by which 
this could be done by one-way functions, the mathematical 
phenomenon where something easily calculated could not 
easily be reversed. Such a scheme would be, as he later 
wrote, “a challenge which could only be answered by one 
person but whose response could be recognized by many as 
genuine.” In other words, a system of “one-way 


authentication,” which used the creative misunderstanding 
of his friend Bill Mann some years earlier: a trapdoor one- 
way function where the difficult reversal of a calculation 
could be performed if someone had a crucial bit of 
information on how the original figuring had been done. 


This addressed a key issue that Diffie had discussed in his 
conversations with McCarthy about electronic commerce. 
But that was only half the problem. What about privacy? 
Could the idea of a trapdoor one-way function work in a 
system that solved two problems—first, the authentication 
necessary for computer passwords and similar credentials, 
and, second, secret communication? 


That spring, Diffie had settled into a routine at the 
McCarthy house. Every morning he would make breakfast 
for Mary and Sarah, McCarthy’s fourteen-year-old 
daughter. Then Mary would go off to work, Sarah would go 
off to school, and Diffie would stay home. One day in May 
1975, he spent the morning hours thinking. After a lunch 
break, he returned to his mental work. For the umpteenth 
time, he had been thinking about the problem of 
establishing a secure log-in password on a computer 
network. Again, there was that old problem of having to 
trust the administrator with the secret password. How 
could you shut that third party out of the scheme entirely? 
Sometime in the afternoon, things suddenly became clear 
to Diffie: devise a system that could not only provide 
everything in Diffie’s recently envisioned one-way 
authentication scheme but could also deliver encryption 
and decryption in a novel manner. It would solve the 
untrustworthy administrator problem, and much, much 
more. 


He would split the key. 


Diffie’s breakthrough itself involved something that, in the 
context of the history of cryptography, seemed an absolute 
heresy: a public key. Until that point, there was a set of 
seemingly inviolable rules when it came to encryption, a 
virtual dogma that one ignored at the risk of consignment 
to crypto hell. One of those was that the same key that 
scrambled a message would also be the instrument that 
descrambled it. This is why keys were referred to as 
symmetrical. That is why keeping those keys secret was so 
difficult: the very tools that eavesdroppers lusted after, the 
decryption keys, had to be passed from one person to 
another, and then existed in two places, dramatically 
increasing the chances of compromise. But Diffie, his brain 
infused with the information so painstakingly collected and 
considered over the past half decade, now envisioned the 
possibility for a different approach. Instead of using one 
single secret key, you could use a key pair. The tried-and- 
true symmetrical key would be replaced by a dynamic duo. 
One would be able to do the job of scrambling a plaintext 
message—performing the task in such a way that outsiders 
couldn’t read it—but a secret trapdoor would be built into 
the message. The other portion of the key pair was like a 
latch that could spring open that trapdoor and let its holder 
read the message. And here was the beauty of the scheme: 
yes, that second key—the one that flipped open the 
trapdoor—was of course something that had to be kept 
under wraps, safe from the prying hands of potential 
eavesdroppers. But its mate, the key that actually 
performed the encryption, didn’t have to be a secret at all. 
In fact, you wouldn’t want it to be a secret. You’d be happy 
to see it distributed far and wide. 


Now, the idea of ensuring privacy by using keys that were 
exchanged totally in the open was completely nonintuitive, 


and on the face of it, bizarre. But using the mathematics of 
one-way functions, it could work. Diffie knew it, and for an 
illuminating instant, he knew how to do it using one-way 
functions. 


It was the answer. From that moment, everything was 
different in the world of cryptography. 


First, by presenting an alternative to systems that worked 
with a single, symmetrical key, Diffie had solved a problem 
that had become so embedded in cryptographic systems 
that it had occurred to almost no one that it could be 
solved: the difficulty of distributing those secret keys to 
future recipients of secret messages. If you were a military 
organization, you might be able to protect the distribution 
centers that handled symmetrical keys (though God knows 
there were lapses even in the most vital operations). But if 
such centers moved into the private sector, and masses of 
people needed to use them, there would not only be 
inevitable bureaucratic pile-ups but also a constant threat 
of compromise. Figure it this way: if you needed to crack an 
encrypted message, wouldn’t the very existence of a place 
that stored all the secret keys present an opportunity for 
some creep to get the keys by theft, bribery, or some other 
form of coercion? 


But with a public key system, every person could 
generate a unique key pair on his or her own, a pair 
consisting of a public key and a private key, and no outsider 
would have access to the secret key parts. Then private 
communication could begin. 


Here’s how it would work: say that Alice wants to 
communicate with Bob. Using Diffie’s concept, she needs 
only Bob’s public key. She could get this by asking him for 
it, or she might get it from some phone-book-type index of 


public keys. But it has to be Bob’s personal public key, a 
very long string of bits that could only have been generated 
by only one person in the world ... Bob. Then, by way ofa 
one-way function, she uses that public key to scramble the 
message in such a way that only the private key—the other 
half of that unique key pair—performs the decrypting 
calculation. (Thus the secret key is the “trapdoor” in the 
trapdoor one-way function Diffie was thinking about.) 


So when Alice sends the scrambled message off, only one 
person in the world has the information necessary to 
reverse the calculation and decipher it: Bob, the holder of 
the private key. Say that the scrambled message gets 
intercepted by someone desperate to know what Alice had 
to say to Bob. Who cares? Unless the snooper has access to 
the unique partner of Bob’s public key—the instrument 
Alice used to convert the message to seeming mush—the 
snoop would get no more than that mush. Without that 
private key, reversing the mathematical encryption process 
is too damn difficult. Remember, going the wrong way ina 
one-way function is like trying to put together a pulverized 
dinner plate. 


Bob, of course, has no problem reading the message 
intended for his eyes only. He possesses the secret part of 
the key pair, and he can use that private key to decipher the 
message in a jiffy. 


In short, Bob is able to read the message because he is 
the only person in possession of both sides of the key pair. 
Those who obtain the public key have no advantage in 
attempting to break the message. When it comes to 
encrypted messages, the only value of having Bob’s public 
key is to, in effect, change the message to Bob-speak, the 
language that only Bob can read (by virtue of having the 
secret half of the key pair). 


This encryption function was only part of Diffie’s 
revolutionary concept, and not necessarily its most 
important feature. Public key crypto also provided the first 
effective means of truly authenticating the sender of an 
electronic message. As Diffie conceived it, the trapdoor 
works in two directions. Yes, if a sender scrambles a 
message with someone’s public key, only the intended 
recipient can read it. But if the process is inverted—if 
someone scrambles some text with his or her own private 
key—the resulting ciphertext can be unscrambled only by 
using the single public key that matches its mate. What’s 
the point of that? Well, if you got such a message from 
someone claiming to be Albert Einstein, and wondered if it 
was really Albert Einstein, you now had a way to prove it—a 
mathematical litmus test. You’d look up Einstein’s public 
key and apply it to the scrambled ciphertext. If the result 
was plaintext and not gibberish, you’d know for certain that 
it was Einstein’s message—because he holds the world’s 
only private key that could produce a message that his 
matching public key could unscramble. 


In other words, applying one’s secret key to a message is 
equivalent to signing your name: a digital signature. But 
unlike the sorts of signatures that are penned on bank 
checks, divorce papers, and baseballs, a digital John 
Hancock cannot be forged by anyone with the minimal skills 
required to replicate the original signer’s lines and loops. 
Without a secret key, the would-be identity thief has scant 
hope of producing a counterfeit signature. 


Nor could a would-be forger hope to monitor a phone 
line, wait until his prey’s digital signature appears, and then 
snatch it, with the intention of reusing the signature to 
create faked documents or to intercept future messages. In 
practice, a digital signature is not applied as an appendage 
to the document or letter to which it is affixed. Instead it is 


deeply interwoven with the digits that make up the actual 
content of the entire message. So if the document is 
intercepted, the eavesdropper cannot extract from it the 
tools to stamp the sender’s signature on some other 
document. 


This technique also assures the authenticity of an entire 
document. A foe cannot hope to change a small but crucial 
portion of a digitally signed document (like switching the 
statement “I am not responsible for my spouse’s debts” to “I 
take full responsibility for my spouse’s debts,” all the while 
maintaining the signature of the unwitting sender). If the 
message was digitally signed with a private key but 
unencrypted, such a rogue could intercept it, use the 
sender’s well-distributed public key to descramble it, and 
then make the change in the plaintext. But what then? In 
order to resend the text with the proper signature, our 
forger would require the private key to fix the signature on 
the entire document. That secret key, of course, would be 
unobtainable, remaining in the sole possession of the 
original signer. 


If someone sending a signed message wanted secrecy in 
addition to a signature, that’s easy, too. If Mark wanted to 
send an order to his banker, Lenore, he’d first sign the 
request with his private key, then encrypt that signed 
message with Lenore’s public key. Lenore would receive a 
twice-scrambled message: shaken for privacy, stirred for 
authentication. She would first apply her secret key, 
unlocking a message that no one’s eyes but hers could read. 
Then she would use Mark’s public key, unlocking a message 
that she now knows only he could have sent. 


Digital signatures offer another advantage. Since it is 
impossible for a digitally signed message to be produced by 
anyone but the person who holds the private key that 


scrambles it, a signer cannot reasonably deny his or her 
role in producing the document. This nonrepudiation 
feature is the electronic equivalent of a notary public seal. 


For the first time, it became possible to conceive of all 
sorts of official transactions—contracts, receipts, and the 
like—to be performed over computer networks, with no 
need for one’s physical presence. 


In short, Diffie had not only figured out a way to assure 
privacy in an age of digital communications, but he had 
enabled an entirely new form of commerce, an electronic 
commerce that had the potential not only to match but to 
exceed the current protocols in commercial transactions. 
Even more impressive, his breakthrough had been 
performed completely outside the purview of government 
agencies in close possession of even the most trivial details 
of the most obscure cryptographic system. 


What a triumph for Whit Diffie! And what a panic he had 
when, scant moments after hatching one of the most 
important breakthroughs in cryptographic history, Whit 
Diffie almost forgot the whole thing. He went downstairs to 
get a Coke and for one horrible moment the idea simply fell 
out of his head. He stepped back around the kitchen 
counter, and, just like that, he got it back. This time, it 
stuck. Still, he didn’t write it down; suddenly, he was 
hyperaware that the computer on which he kept his notes 
was not secure. There was no way to encrypt his thoughts 
so that intruders could not steal them. He would have to tell 
Marty Hellman about it face-to-face. 


But first he waited until Mary got home from work. 


When Mary Fischer came home from British Petroleum 
that day, she found her husband waiting for her at the door. 


This was not usual. He had a strange look on his face, and 
he told her to come to him, that he wanted to talk to her. 


“T think,” said Whit Diffie, “I’ve made a great discovery.” 


He explained his idea to her. Though the mathematics of 
the procedure were beyond her, the concept rang true. 
What’s more, from Mary’s close observation of her husband 
during the years he had wrestled with the problem, she 
found the solution to be not just fitting, but poetic. “Whit 
has always been a dualistic individual,” she says of her 
husband, born under the sign of Gemini, “and I think that 
the notion of splitting the key emerged from that tension.” 


He was not a broken-down old researcher after all. 


That night Diffie walked down the hill to Hellman’s house to 
tell him, for the first time, about public key cryptography. It 
took a bit of explaining, but Hellman quickly understood the 
significance of Diffie’s brainstorm. It remained, however, for 
them to formalize it, to put it into scientific context, and to 
publish it. Marty Hellman had just the place for it; he had 
been invited to write a paper for the journal IEEE 
Transactions on Information Theory, and he broached this 
idea to his editor, who enthusiastically endorsed his 
suggestion that he and Diffie collaborate on developing this 
concept. (The IEEE, or Institute of Electrical and Electronic 
Engineers, was a prominent academic engineering society 
which published a variety of journals, some the most 
influential in their disciplines.) They set about working on it 
immediately, squarely facing the fact that while Diffie had 
successfully envisioned a system that could catapult 
cryptography into a new era, his vision was all they had. 


Even to Hellman, the concept, he later recalled, 
sometimes “sounded a little crazy.” One day he decided to 
run it past his former IBM colleague Horst Feistel. It was a 
weird conversation. Hellman had barely begun talking 
when Feistel told him that they could only talk for twenty 
minutes or so because he was on his way to a doctor’s 
appointment. So Hellman hastily explained how he and 
Diffie had gotten around the key distribution problem by 
postulating a trapdoor one-way function that allowed you to 
use a public key. Feistel didn’t buy it at all. “You can’t do 
that!” he admonished Hellman, lecturing to him that the 
great Flemish cryptologist Auguste Kerckhoffs, in his 
landmark 1881 work La cryptographie militaire, had laid 
out six ironclad commandments for producing secure 
ciphers, and one of them was that all secrecy must reside 
not in the system but in the keys. How, then, concluded the 
IBM genius behind the Lucifer cipher, could you even think 
of making a key public? (Had Feistel not been in sucha 
hurry to make his doctor’s appointment, perhaps he would 
have understood that Diffie and Hellman’s idea quite 
elegantly conformed to Kerckhoffs’s stringent 
requirements, that the security of public key systems lay in 
the fact that a private key was never accessible to anyone 
but its owner.) 


Feistel was right on one count: Diffie’s concept was a 
heresy. But “heresy is the way changes begin,” says 
Hellman. For the next few weeks the pair worked intensely 
on creating the mathematical basis for the theory of public 
key cryptography. Hellman by then had figured out how his 
collaboration with his mercurial partner would work: “Whit 
often, playing with ideas, sees something first in an 
embryonic form,” he says, “and then I take it to a more 
polished result.” 


In this case, the result was a paper called “Multiuser 
Cryptographic Techniques.” In a sense, the work was a 
placeholder—something that would express the public key 
idea while its authors burned brain cells attempting to find 
a way to actually execute the concept. “At present,” they 
admitted in the paper, “we have neither a proof that public 
key systems exist, nor a demonstration system.” While they 
had laid out the mathematical basis for such a system, they 
were still groping for the precise functions—particularly the 
trapdoor one-way functions—that would make it happen. 
Still, those who received early drafts of the paper found it 
an astounding twist on the conventional cryptographic 
wisdom, a foray into territory where no one, from 
Trithemius to Turing, had dared venture. 


Or had they? Of course, if someone had come up with this 
behind the Triple Fence or any of its foreign cousins, Diffie 
and Hellman wouldn’t have known it. Certainly, if anyone 
had actually published anything about it, Diffie would 
probably have discovered the paper in his extensive 
research of the past few years. 


As it turned out, there had been at least one outsider who 
had been thinking along the same lines as Diffie and 
Hellman. 


In early February 1976, Marty Hellman received an 
intriguing letter from a graduate student at the University 
of California at Berkeley: 


Dear Dr. Hellman, 


About three days ago, a copy of your working 
paper, “Multiuser Cryptographic Techniques,” 
fell into my hands. Just prior to this, I had 
finished revising a paper on the same subject, 
which will shortly be re-submitted to the 
Communications of the ACM [Association of 
Computing Machinery]. (Original submission 
was in August 1975.) I enclose a copy of it in the 
hopes that you'll find it interesting. Actually, I’m 
glad to know there’s someone else who’s 
interested in the problem. The people with 
whom I try and discuss it either fail completely 
to understand what’s going on, or regard any 
attempt at solution as impossible. Fortunately 
the (partial) solution described in the enclosed 
paper demonstrated that it is possible. Now, if 
only we can do better!... 


The letter ended with a proposal: “The possibility arises of 
doing joint work, and I would be interested in this 
possibility. I hope to hear from you, and wish you the best of 
luck in the hunt.” 


It was signed Ralph C. Merkle. The return address, in 
Berkeley, seemed to coincidentally reflect the speed with 
which things were now moving: Haste Street. 


Merkle’s name had actually come up some months before: 
he was the Berkeley student whose work had been 
mentioned to Diffie by mutual friend Peter Blatman, a 
mention that led Diffie to unkink his thought process and 
make the crucial public key connection. Now it appeared 
that, working totally independently and with no more 
equipment than his own brain, Merkle had already made a 
breakthrough similar to Diffie’s. What’s more, according to 


the unpublished paper he enclosed, he had actually turned 
the trick that Hellman and Diffie were still fumbling to 
perform: he’d created a public-private key scheme. 


Like Marty Hellman and Whit Diffie, Merkle was the son 
of an educated man; his father had been the associate 
director of the Lawrence Livermore Laboratory, one of the 
nation’s top military research facilities, until he died of 
colon cancer in 1966. (The illustrious nature of Merkle’s 
family extends to his great-uncle Fred, a professional 
ballplayer who made the famous omission of not touching 
second base in a game that ultimately decided the 1908 
National League pennant race.) Young Ralph Merkle was, 
understandably, a science buff, a math whiz, and, by the 
time he enrolled as an undergraduate at Berkeley, a 
computer enthusiast. As for cryptography, “I had not 
displayed any noticeable high interest in the subject area,” 
he says. This changed during the fall 1974 semester, when 
Merkle, in his last term as an undergrad, took a class 
known as CS 244, on computer security. Taught by Lance 
Hoffman, an assistant professor in the department of 
electrical engineering and computer sciences, the course’s 
key requirement, besides a November midterm, was a term 
project. “Grading is done on a curve,” wrote Hoffman on 
the syllabus, “but if you do excellent work in a class full of 
geniuses, fear not! You’ll still get your A.” 


Hoffman included cryptography in CS 244 but not ata 
particularly sophisticated level. Since the varieties of crypto 
deployed by the government were classified, those used in 
the private sector, even in academia, were relatively 
rudimentary. “We didn’t get into the details,” admits 
Hoffman now. “I’m sure I would teach the Caesar cipher 
and things like that. Don’t forget, all you really had back 
then were substitution ciphers and transposition ciphers 
and combinations.” 


But almost from the moment the class first met on 
October 1, convening twice a week until December 5, when 
final papers were due, Ralph Merkle began thinking more 
ambitiously. Hearing about the way cryptography operated 
—as a means to protect information that might be exposed 
to eavesdroppers—he hardly paused to concentrate on 
what everybody since Caesar had considered the main 
problem: coming up with stronger, less crackable 
cryptosystems that would be encoded and decoded by a 
symmetrical key. 


Instead, for reasons that remain unclear but are probably 
related to Merkle’s unconventional mind, he fixated on what 
struck him as a weird, somewhat challenging aspect ofa 
more basic dilemma. The essential cryptographic scenario 
assumed that the channel of communication was 
vulnerable. This was certainly the case in telegraph 
transmission, radio broadcasts, and the subject of 
Hoffman’s course, open computer networks. But what 
measures could you exploit if you wanted to communicate 
with someone who wasn’t already in possession of a 
prearranged, secure symmetrical key? Was there a way in 
which those two people could spontaneously engage in a 
conversation that would be clear to both of them but 
opaque to whoever was listening? As Diffie and Hellman 
now understood, this was a problem no one else had 
tackled, undoubtedly because it defied solution. 


Merkle, unpolluted with knowledge about the theory or 
history of crypto, was unaware of the apparent impossibility 
of his mission. He simply tried to solve the problem. The 
crucial aspect of the situation, he figured, lay in the 
different circumstances of two people who wished to 
privately communicate and a potential interloper. The pair 
were actively involved in a conversation, while the 
interloper was a passive listener. He sensed that his 


solution lay in exploiting the conspiracy of the private 
communicators, creating a situation where, says Merkle, 
“the active participants can confuse the heck out of the 
passive listener, even though the listener hears everything.” 
Merkle began thinking about this almost obsessively. And 
one night, in October 1974, sitting in bed in his small 
apartment staring at the ceiling, Merkle figured out a way 
this might be done. 


Puzzles. 


Here’s the scheme that Merkle conceived in the dark. The 
situation is classic: Bob and Alice want to communicate. Bob 
is a sender and Alice is the intended recipient of a secret 
message. Unfortunately, there exists an unwanted 
eavesdropper, Eve, who has access to anything that passes 
between those two parties. How can Bob send a message 
that Alice can read and Eve can’t? First, he creates puzzles. 
Each puzzle is an encrypted message scrambled by a 
relatively small key—something solvable with a modicum 
amount of brute-force effort, a challenging yet feasible task 
for Alice’s computer. “That’s why it’s a puzzle,” says Merkle. 
“It’s hard to solve but it’s solvable, by searching through all 
the combinations of the keyspace.” With the use of his own 
computer, Bob creates not one puzzle, but thousands, 
maybe millions, of these puzzles. All of these are sent off to 
Alice. 


Alice, in effect, spreads these puzzles on the floor and 
chooses one at random. (Eve, of course, is capable of 
intercepting all those puzzles—but she would not know 
which particular one Alice chose.) Then Alice attacks her 
chosen puzzle by having her computer search through the 
keyspace until the solution is revealed. That solution 
includes a string of numbers: it’s the decrypted message of 
that puzzle. At this point both Alice and Bob have the 


solution to that particular puzzle. Bob, of course, knows the 
solution because it’s his own puzzle—he has the answers to 
all the puzzles he’s sent off. But Eve doesn’t have that 
solution. Even though she may have intercepted Bob’s 
massive transmission to Alice, she doesn’t have the time or 
computer power to find the answer to all the puzzles—and 
she doesn’t know which one Alice selected. 


The next step requires Alice to inform Bob which puzzle 
was chosen. That’s easy; among the contents of the 
encrypted puzzle would be an identifier (something that 
says, for instance, “Hey! I’m Puzzle No. 3!”) and a long 
digital key. So when Alice ships back the message, “Puzzle 
No. 3,” Bob can look up which key is stored in that puzzle. 
At this point, they would both be in possession of a shared 
secret key they could use to conduct further secret 
communications. Eve may even hear that it’s Puzzle No. 3, 
but she would have no clue which one of the millions of 
puzzles that refers to. Remember, she has to crack all the 
puzzles in order to get the keys. While this might be a 
feasible task with the help of some extremely super 
computer, it would always require much more effort than it 
took Bob and Alice. Maybe millions of times more. But the 
amount of effort wasn’t the point. 


Here was the point: Ralph Merkle, in a tiny Berkeley 
apartment, totally off the National Security Agency’s radar 
screen, had figured out a way in which two people, with no 
prior agreement on a secret key, could send a secret 
message that would frustrate the cracking efforts of a 
diligent eavesdropper. 


What goes through the mind of someone who comes up 
with a totally novel concept of cryptography, something that 
confounds what has been the mainstream thought in this 
field for over a thousand years? “My first response was, 


‘Gee this looks neat; I ought to be able to get a quarter 
project out of it.’ ” says Merkle. If that seemed like an 
understatement, it was nevertheless an overly optimistic 
one. The protocol for the research paper, or the “quarter 
project,” was to submit a proposal to Professor Hoffman, 
and Merkle promptly wrote up a description of what he 
wanted to do. Of necessity, it was skimpy and vague. “I 
couldn’t cite any previous literature saying this is an 
important problem because I’d never seen any literature 
saying this was an important problem,” explains Merkle. “I 
suspected [correctly] that there was no previous literature. 
So I basically wrote up a little thing about it.” As a backup, 
he also mentioned that he was also thinking about a paper 
on data compression. 


After reading the proposal, Lance Hoffman told his 
student he’d be better off writing about the data 
compression problem. 


Merkle tried to persuade his professor otherwise, 
recasting his proposal several times in an attempt to get 
Hoffman to concede that it was at least interesting enough 
to pursue further. But Hoffman wouldn’t even toss him that 
harmless bone. Why not? “Let me be polite and simply say 
he did not appear to understand what I was saying at the 
time,” says Merkle. “So I dropped the course.” 


Years later, Hoffman, now a Georgetown professor who 
has become an expert on issues of cryptographic policy, 
would ruefully recall the incident, attributing the rejection 
to a combination of Merkle’s abstruse writing style and his 
own failings as a mathematician. “Merkle struck me as a 
young sort of pimply faced kid who might have a good idea, 
but it wasn’t clear to me that I had the time to extract it out 
of him, or that he had the communication skills to deliver it 
in a way I could at least understand,” he says. “I’ve gota 


math degree from Carnegie Tech, but I’m nota 
mathematician, and so he probably needed somebody like 
Marty Hellman to really sit down with it.” 


Merkle, of course, did not know about Marty Hellman yet. 
He just wanted someone, anyone, to assure him that his 
instincts were correct, that he had stumbled on something 
significant. But the usual reaction of the Berkeleyites he 
asked was similar to Hoffman’s. “Basically people sort of 
stared at me and were utterly baffled by what I was talking 
about,” Merkle says, “on the grounds that it was obviously 
something very strange.” Finally, one of Merkle’s 
professors, Robert Fabry, offered some encouragement. 
This is a good idea, he told Merkle—you should try to get it 
published. So Merkle rewrote the paper more formally, 
hoping to publish it in the prestigious Communications of 
the ACM. He entitled it “Secure Communications Over 
Insecure Channels,” and in August 1975 formally submitted 
it to Sue Graham, the journal’s editor. 


On October 22, 1975, Graham wrote to Merkle. An 
“experienced cryptography expert” had gone over his 
paper, she explained, and found the article unworthy of 
publication. In the words of the reader (due to the practice 
of “blind refereeing,” his or her name was withheld, but 
typically such readers were the illuminati in a given field), 
the gaping flaw in the paper was its very premise: assuming 
that a cryptosystem could work without the secure delivery 
of keys. What made Merkle’s idea revolutionary also made 
it unacceptable. “I am sorry to have to inform you that the 
paper is not in the mainstream of present cryptography 
thinking,” said the reader. “Experience shows that it is 
extremely dangerous to transmit key information in the 
clear.” Sue Graham herself took pains to emphasize that 
she agreed with the referee. “I read the report myself and 
was particularly bothered by the fact that there are no 


references to the literature,” she wrote. “Has anyone else 
ever investigated this approach[?]” 


The answer, as far as published work was concerned, was 
no. 


Merkle was disappointed, but not defeated. His mien may 
not have been as swashbuckling as that of his father, who 
was once referred to as a “perfect combination of physicist 
and pitchman” and was known for blasting through the 
Livermore Lab parking lot at high speeds in a beat-up 
Packard convertible. But he did inherit a dogged 
perseverance. So he kept revising and rerevising his paper, 
despite a series of further rejections. “What was striking,” 
he said later, “was how the publication process was tuned 
to incremental improvements, but was very bad at handling 
something that is fundamentally different.” He just knew, 
though, that the idea was worth pursuing. “It couldn’t be 
wrong because it was simple,” he says. “It was unclear 
exactly what it would lead to, but it was pretty obvious it 
should be made available. I basically wanted to publish that 
idea and say, ‘Here is a neat idea—it clarifies what this 
problem is, it clarifies the fact that a solution is feasible, and 
it is now a well-defined research problem. Now let’s get 
some other folks in there and see what else we can find.’ ” 


In early 1976, just as Merkle was beginning to lose faith, 
a colleague told him that he knew some people who talked 
just the way he did, notably a guy named Marty Hellman. 
Coincidentally, one of Hellman’s courses was being carried 
on a closed-circuit broadcast line between Stanford and 
Berkeley. Merkle managed to tune into the audio portion of 
one of the sessions and immediately realized that Marty 
Hellman was indeed thinking the same things he was. By 
that time, a draft of Diffie and Hellman’s “Multiuser 
Techniques” paper was being privately distributed, and 


Merkle managed to get hold of a copy. Instead of grinding 
his teeth at seeing that someone else had published first, 
Merkle became excited at the idea that work on “his” 
concept was actually being done. His immediate instinct 
was to team up with the Stanford researchers. Thus his 
letter to Hellman of February 7, where he proposed a 
collaboration and included a draft of his paper in place ofa 
vitae. 


Merkle’s work was a revelation to Diffie and Hellman, 
neither of whom had really thought that they would see a 
possible implementation of their idea for some time. 
Merkle’s puzzle concept, though it still had problems, was a 
definite advance. Soon Merkle became part of Hellman’s 
discussions with Diffie on implementing public key 
cryptography. Merkle wondered how his puzzle scheme 
could be jiggered to work within the kind of public key 
cryptosystem that Diffie and Hellman had suggested. In a 
letter dated April 2, 1976, he proposed a system in which 
each user would have a unique arrangement of puzzles— 
and that itself would be the public key. “Thus,” he wrote, “if 
anyone wishes to send a message to A, then all they have to 
do is select one of As puzzles at random. They then encrypt 
their message, and send it to A. A looks up the puzzle key 
using the puzzle ID on the front of the message. Anyone 
else is up shit’s creek, because they can’t figure out the 
puzzle key.” 


Merkle also speculated on how puzzles, integrated into a 
public key system, could also provide a way to get receipts 
to prove that messages had been delivered. With that asa 
lure, he confided that he was looking for a summer job. His 
concluding sentence referred to the main practical flaw of 
his system—that the level of security provided by puzzles 
was merely at the mathematically polynomial level, not the 
more rigorous exponential level. An eavesdropper would 


have to perform a lot of work in order to crack the puzzles, 
but that work factor was limited by the number of puzzles. 
Say that in the puzzle cryptosystem, Alice sent Bob a million 
puzzles to choose from, but intruder Eve had a computer 
that was a thousand times faster than Bob’s. (Not a wild 
assumption if you figure that wealthy governments with 
huge computational resources might want to break 
somebody’s message code.) Then, in the time it took Bob to 
solve a single randomly chosen puzzle, Eve would be able to 
solve a thousand puzzles. If it took Bob a minute to solve his 
puzzle, Eve would solve the entire set of one million puzzles 
in about sixteen hours—a totally intolerable situation for 
those needing strong protection. Even if Eve’s computer 
was no more powerful than Bob’s she could crack all the 
puzzles in less than two years. If maintaining secrecy was 
essential, that wasn’t very desirable, either. (On the other 
hand, such a spread was sufficient for authentication, since 
breaking a signature key a year after it was used wouldn’t 
give a foe any appreciable advantage.) Any decent 
encryption system had to assure that whatever one-way 
function was used, a mathematically exponential relation 
would exist between the easy calculation of the 
communicator and the more difficult task posed to the 
cracker. Ideally, this should jack up a foe’s work factor to a 
task requiring thousands, millions, or even billions or 
trillions of years of crunching. Merkle was hopeful that he 
could figure out a way for his system to satisfy these 
conditions. “Perhaps,” he wrote Hellman, “we can get 
exponential by the end of the summer.” 


While Merkle was figuring out how to get exponential, 
Diffie and Hellman focused on finding their own means of 
implementing a public key cryptosystem. Without some way 
of actually putting their ideas into action—or at least 
proving that some feasible scheme could exist—the whole 


concept of public key cryptography would be merely a 
mathematical mind-trick. 


One path was suggested by Stanford computer scientist 
Donald Knuth, whose encyclopedic series of books in 
progress, The Art of Computer Programming, would earn 
him the reputation as the high guru of algorithms. Knuth 
reminded them of an interesting mathematical 
phenomenon: while it is child’s play to multiply a pair of 
prime numbers, reversing the process—a task known as 
factoring—is an assignment that could confound the devil 
himself. Could this phenomenon be the basis for a devilishly 
challenging one-way function? Though Diffie and Hellman 
did not choose to pursue this idea, others would. 


Another alternative involved computational complexity, 
and Diffie pored over a book on the subject, particularly a 
chapter on what was known as NP-complete functions. The 
class of NP-complete problems, Diffie later wrote, are 
“problems thought not to be solvable in polynomial time on 
any deterministic computer.” This meant that they were so 
hard that you could set your Macintosh, or even your Cray 
supercomputer (if you were the NSA), to work on the 
problem and when you checked the results a few trillion 
years later, you wouldn’t even be in the general 
neighborhood of solving it. But though Diffie did have some 
ideas on using complexity to create a formula for a one-way 
cryptographic function, he never found a way to do it with 
trapdoors. 


It was a suggestion by one of Hellman’s colleagues in 
Stanford’s electrical engineering department, John Gill, 
that proved most promising. Gill pointed to a mathematical 
process known as “discrete exponentiation” as a potential 
function. Since the inverse of this process, known as 
discrete logarithm, was extremely difficult, this had the 


potential to fulfill the basic criterion of a one-way function: 
easy numbers for the good guys to crunch, and 
computational hell for the bad guys to reverse-calculate. 


Diffie was working at the Stanford AI lab one day in May 
1976, rewriting the public key cryptography paper that he 
and Marty were planning to publish later that year in the 
major IEEE journal, when Hellman called, excitement in his 
voice. He’d been working on discrete exponentiation, and 
had actually cooked up a workable system. When he 
explained it, Diffie instantly realized that Hellman had tied 
up the tangled threads of a theory that had been swirling 
around in his own mind for weeks. 


The scheme would come to be known as the Diffie- 
Hellman algorithm. It presupposes two parties who want to 
communicate in secret; by using one-way functions, these 
parties can jointly generate a shared key, one that an 
eavesdropper listening in on the session cannot intercept. 
Here’s how it works. 


The two parties first choose two numbers. This is done 
openly, since knowing these numbers will not help an 
eavesdropper. Each party then selects his or her own secret 
number, which will not be revealed or sent to anyone else. 
Then, using a mathematical formula that involves 
exponentiation, each party takes his or her own secret 
number and performs a calculation that involves both that 
secret number and the two previously chosen public 
numbers. After this brief number crunching, each person 
has a transformed secret number that is then sent to his or 
her counterpart. There’s no problem in sending this 
number over an open channel because, in effect, it’s an 
encrypted secret number, scrambled by means of a one-way 
function that was easy to perform but extremely hard to 
reverse. (How hard? Undoing the process would, in theory 


at least, be as difficult as solving what is known as the 
discrete logarithm problem. This requires performing about 
a million million quadrillion more operations than the 
exponentiation used to transform the numbers. That’s a 
one-way function!) 


You can think of this second pair of numbers as sort of an 
offspring of the openly agreed-upon public numbers and 
the closely held secret numbers. Trying to figure out the 
secret number from the figure passed over the clear 
channel would be like examining the DNA in a human cell 
and trying to figure out which parent was the contributor of 
each individual gene. You couldn’t do it unless you had 
access to DNA from either the sperm or egg cells. 


That leads to the third and final step of the Diffie-Hellman 
algorithm. Both parties separately use a related 
mathematical formula that combines those transformed 
numbers, in conjunction with his or her original secret 
numbers (the source DNA!), to arrive at yet another 
number. The formula works in such a way that both parties, 
despite the fact that their original numbers are different, 
will get the identical final number, which can be called K, as 
in key. Thus both people will now have possession of an 
identical numerical key—calculated in such a way so that 
only someone who has one of the original secret numbers 
can get K. An eavesdropper, of course, never had a chance 
to get hold of the secret numbers; that foe would be holding 
only the nearly-impossible-to-convert transformed 
variations. 


The Diffie-Hellman algorithm was both more efficient and 
secure than Merkle’s puzzle system. But it was not even 
close to a complete implementation of the sort of public key 
cryptosystem that the two were envisioning. Diffie-Hellman 
did not provide for digital signatures and didn’t even supply 


a means to encrypt messages. But it did provide a method 
for two people who have had no prior communication to use 
an open channel and arrive at a secret key. That key could 
then be used with a conventional encryption system like 
DES to scramble messages and unscramble them. (This 
double-barreled approach—one method to find a key 
without a prior arrangement and another method to 
actually communicate in secret—would be called a hybrid 
system.) 


Including their new algorithm in the revision of 
“Multiuser Techniques” would make it a much more 
powerful document. The new paper, “New Directions in 
Cryptography,” was submitted on June 3, 1976. Later that 
month, they presented some of their ideas at conferences in 
Lenox, Massachusetts, and Ronneby, Sweden—appearances 
that would prove to have unintended patent implications. 
But thoughts about exploiting intellectual property were 
the furthest thing from the minds of these information 
scientists. In contrast to what struck them as a government 
refusal to provide all the details of the Data Encryption 
Standard, they were creating a fully open alternative to 
conventional cryptography itself. 


Meanwhile, Ralph Merkle, who was now well along in the 
graduate computer science program at Berkeley, was finally 
reconciled to the fact that his puzzles scheme wasn’t likely 
to overcome its work-factor flaw. He began casting about 
for another public key approach. “I had various schemes 
involving circuits and complicated fiddling around with 
subsets of various types,” he said. None seemed to work. 
Merkle was further handicapped by his chronic difficulty in 
expressing complex ideas clearly; this made it difficult for 
colleagues to suggest modifications to his schemes. “You’re 


stretching your mind, and sometimes you get bizarre, 
baroque things,” he says in his defense. “It’s only after 
you’ve cooked up the idea that you start simplifying to the 
point where it’s clean and easy and straightforward to 
present.” 


Hellman took Merkle up on his offer to work together, 
giving him a summer research job. It would be exhilarating 
to work with the two people in the world who best 
understood the problem. “I was basically isolated until I met 
Whit and Marty,” he says. “I was ready to keep banging 
away until I got some response, but there was no one else 
who was interested in pursuing this.” Merkle arrived at 
Stanford convinced that his most promising idea revolved 
around a scheme built around finding trapdoor one-way 
functions involving the NP-complete problem. The system 
was built around a mathematical problem known as 
knapsacks. To understand his scheme, picture, naturally, a 
knapsack. “The idea is to put things into this knapsack, to 
exactly fill it to the brim without going either over or 
under,” he says. Diffie would later describe the problem as 
that of a shipping clerk faced with a collection of packages 
of various sizes and shapes who had to find the absolute 
best way to stuff the packages in the mailbag. The perfect 
solution is one that fills every cubic inch of space. Actually, 
in Merkle’s scheme, it would be more accurate to say that 
the shipping clerk must know the proper combination of 
packages that will precisely meet the weight limit of a given 
knapsack. With only a few packages to choose from, the 
optimal solution isn’t that tough to find, but if there are 
plenty of packages, it gets much harder. 


Since Merkle wanted these knapsacks to act as trapdoor 
one-way functions—something that would be easy for the 
right person to solve but nearly impossible for everyone 
else to crack—he needed to figure out a way to tame this 


difficult problem for the proper keyholder. He did this by 
first using a much easier variation of the knapsack problem 
called a superincreasing knapsack. In these problems, the 
list of weights is ordered in such a way that discovering the 
solution is a breeze. Merkle then figured out a way to 
transform that easy process to the far knottier problem that 
comes with figuring out the solution to a normal knapsack, 
where the weights aren’t so helpfully arranged. 


It was a complicated but logical process. Someone who 
wished to receive a private message would begin with her 
own superincreasing knapsack, which would essentially be 
her secret key. Then she’d use that key to create a hard-to- 
solve normal knapsack to act as a public key. With the 
formula Merkle devised (working with Marty Hellman), that 
second knapsack could act as an encrypting function, 
scrambling messages in such a way that they could be 
unscrambled only by someone who had the ability to solve 
the problem of that normal knapsack. In a practical sense, 
there would be only one way to do that—by using the secret 
key, which was the related superincreasing (easy-to-solve) 
knapsack. 


The impractical way would be to spend a few billion years 
trying to solve the problem by brute force. 


Was there a simpler way to break the system than using 
mega-computers for a brute-force attack, hoping to get the 
keys sometime before the sun went dead? In other words, 
could cryptanalysts find a shortcut, a flaw? Merkle was 
supremely confident that no such flaw existed and posted a 
challenge on his office door. “I’m offering $100 to the first 
person to break it,” he wrote to Hellman. “I’ve discreetly 
shown it to a few people here, and after listening to the 
resulting silence, I’ve concluded that the solution, if it 
exists, is at least not embarrassingly simple.” To be sporting 


about it, he made the task immeasurably easier, asking 
potential crackers to solve the problem with the difficulty of 
the knapsack problem set at a level so low that Merkle 
knew that there was at least a remote chance that someone 
might collect the reward. After that, he figured, he could 
raise the stakes and offer a higher bounty if someone 
cracked the real thing. “The point was that no one gave a 
damn about this stuff,” he says. “I figured that if I offered 
money for the [possibly unbreakable] knapsack, people 
would just throw in the towel. So I offered money for the 
[easier problem], because somebody might actually break 
that, or at least think they have a chance at breaking that. 
(He would publish a paper on knapsacks with Hellman in 
1978.) 


yw 


In November, Diffie and Hellman’s IEEE paper came out. 
“New Directions in Cryptography” was a revelation, a true 
blow against the empire. (The title itself drew upon the 
authors’ generational roots by evoking the mind-blowing 
paperbacks of the New Directions publishing house— 
ground-shifting beatnik bibles like Waiting for Godot, 
Siddhartha, and In the American Grain.) “We stand today,” 
their article began with a fanfare, “on the brink ofa 
revolution in cryptography.” The computer age allows for 
dramatically cheaper implementations of scrambling 
devices, they explained, necessary tools for a world that 
features “effortless and inexpensive contact between 
people or computers on opposite sides of the world.” But 
because of the key distribution problem and the lack of a 
digital signature component, conventional cryptography is 
unable to handle those challenges: “Its use would impose 
such severe inconveniences on the system users as to 
eliminate many of the benefits of teleprocessing.” Thus, 
there is the need for something new, a means by which 
private conversations can actually be conducted without 
prior acquaintance, messages can be authenticated to 


guarantee that the actual senders and recipients are 
involved, and a true digital signature can be contemplated. 
Not only were Diffie and Hellman the first to articulate 
these problems in an open forum, but in the succeeding 
breath they proposed to solve them with their original 
creation, public key cryptosystems. 


Once, Diffie had harbored dreams of writing up any great 
cryptographic discovery he made, not as an academic paper 
but as an espionage novel. He had been disappointed in 
books of that genre that included great technical 
discoveries in their plot lines, because the fictional 
breakthroughs weren’t convincing; they had “feet of clay,” 
he complained. “Unfortunately,” he would note, “once I had 
the required technical discovery, I still did not know how to 
write a novel and had to content myself with publication in 
the professional journals like everyone else.” But he could 
take comfort in the fact that the paper he published with 
Marty Hellman was in many ways as enthralling as any 
page-turner that ever hit the bestseller list. This was 
science that broke the ground that science fiction had not 
yet contemplated; within its mathematical formulas lay a 
blueprint for twenty-first-century communications. 


Diffie and Hellman ended their paper with the 
observation that throughout the history of codes, it had 
often been amateurs who came up with the innovations in 
cryptography. They cited Thomas Jefferson, whose code 
wheel system was used two centuries after its invention, 
and also mentioned the four amateurs who independently 
came up with the implementations of electronic rotor 
machines that characterized Enigma-style crypto during 
World War II. Then they concluded with a wish that their 
efforts would be only the beginning of an effort to change 
the landscape of modern cryptography: “We hope this will 
inspire others to work in this fascinating area in which 


participation has been discouraged in the recent past by a 
nearly total government monopoly.” 


That monopoly had just been smashed open by a long- 
haired former MIT hacker and his passionate Stanford 
graduate school advisor. 


prime time 
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“Rere’s something interesting... .’ 


A casual handoff of an academic paper from a graduate 
student to a professor. Ron Rivest, a twenty-nine-year-old 
assistant professor at the Massachusetts Institute of 
Technology, had no reason to believe that this paper was 
any more interesting than the hundreds of papers, articles 
in journals, and technical memos he had already seen in his 
nascent career in academia. One of its authors, Whit Diffie, 
had worked in the same building—Tech Square in 
Cambridge, where the AI lab was one floor above Rivest’s 
office at the Laboratory for Computer Science. But neither 
that name nor that of the coauthor, Martin Hellman, was 
familiar to him. And actually, Rivest knew very little about 
encryption and virtually nothing about how sensitive a topic 
it was. Nor did the paper contain any breakthroughs in 


mathematical reasoning; the spirit of Fermat was nowhere 
to be found in its equations. 


Even so, “New Directions in Cryptography” turned out to 
be more than interesting to Rivest: it thrilled him. 
Ultimately, it changed his life. 


The paper appealed to Rivest’s heart as well as his head. 
Rivest was a theoretician, but one for whom simple 
abstractions were not enough. The ideal for him was 
actually putting the ethereal mechanics of math to work, of 
making a tangible difference in the world of flesh and dirt. 
Diffie and Hellman’s breakthrough wedded the spheres of 
abstraction and reality, applying an original mathematical 
formula to meet a need in society. Ron Rivest wanted to 
spend his time in the neighborhood where those two realms 
met. 


Despite a prodigious talent for math, Rivest did not grow 
up as a classic numbers nerd. His father had been an 
electrical engineer at the General Electric lab at 
Schenectady, New York, and Rivest had taken advantage of 
the strong science programs in the public high school 
there. For one summer, he’d attended a special math 
program at Clarkson College. But as high school graduation 
loomed, he mulled over careers in psychology or law. He 
wound up majoring in mathematics at Yale but only, he 
remembers, because “it had the fewest course 
requirements, and it allowed me to take a lot of other 
courses.” These included plenty of classes in psychology, 
history, and other sojourns sans slide rule. Mathematics, he 
says, was “just one of many things I was doing.” 


He speaks of this in his characteristic soft, thoughtful 
cadence, a ruminative mumbling that draws a listener 
closer. Rivest is a balding man with pleasantly plump 


cheeks, neatly bearded. He certainly does not appear to be 
the sort of man who poses a threat to national security. 
While at Yale, Rivest attended a few marches protesting the 
Vietnam conflict, but he was far from a flaming activist. 
Thoughts of sedition had never truly crossed his mind. 


At Yale, Rivest discovered computer science. While taking 
courses offered by the engineering department, he realized 
that programming offered an opportunity to merge theory 
with tangible effect, and he fell in love with that form of 
instant karma. He used his programming skills in a part- 
time job for an economics professor. Working on a huge 
punch-card-munching IBM mainframe, Rivest hacked away 
at arcane subjects like price indices in Latin America or 
New Zealand—and felt just as powerful as if he were 
moving mountains. If Yale had offered a computer science 
major back then, Rivest would have signed up in a minute. 
In any case, after graduating from Yale in 1969 with a math 
degree, he went on to graduate school at Stanford, in the 
four-year-old computer science department. 


Rivest spent much of his time at Stanford’s cutting-edge 
artificial intelligence lab, helping with a fairly quixotic 
project involving an autonomous robot rover. The idea was 
to get the electronic beast to roam the parking lot with no 
human intervention, a typical overly optimistic task for AI 
workers in the 1960s. He had terrific fun with this, and was 
fascinated with the idea of making computers “smart.” But 
the problems of making robots behave forced him to 
concentrate on hard-core engineering problems, and he 
didn’t want to get too far from theory. He increasingly 
became drawn to understanding the mathematics of 
computation itself. His guru was not the AI elder John 
McCarthy but Don Knuth, Stanford’s Jedi Master of 
algorithms. But Rivest’s goal was always applying theory. 


‘Artificial intelligence gets to be a bit mushy—it’s hard to 
tell what it is you’re doing, and hard to tell when you’ve 
done something right,” Rivest explains. “But with theory 
you can make a crisp model and say, ‘ This is what I want to 
do and here’s the solution to it.’” There was nothing like 
using the beauty of mathematics to solve a problem. Not 
only was it possible to pull a cerebral arrow from your 
quiver and hit the bull’s-eye dead center, but you had the 
equivalent of a celestial arbiter—your proof—ringing the 
buzzer to let you know you’d scored. So while Rivest 
enjoyed writing AI software programs, his doctoral thesis 
involved database retrieval algorithm and research 
techniques. Very Knuth-ish. And in a yearlong postdoc at 
the Institut National de Recherche en Informatique et en 
Automatique (INRIA) outside Paris, he concentrated on 
other theoretical problems. 


In the fall of 1974, Rivest accepted his post as an assistant 
professor on a tenure track at MIT. It was an ideal job, one 
that would enable him to pursue his theoretical interests in 
a department that also allowed him the freedom to work on 
programming problems as well. Rivest had been married 
since graduating from Yale. At twenty-seven, he seemed 
poised to begin a productive yet quiet life as an academic in 
one of America’s best scientific institutions. From his 
eighth-floor window in the boxlike Tech Square building in 
Cambridge, he would watch the gorgeous campus sunsets, 
their drama enhanced by pollution spewed out by Boston- 
area industry. And then he would return to his algorithms. 


In December 1976, and throughout that entire winter, the 
algorithms Rivest grappled with were the ones suggested 
by Diffie and Hellman’s “interesting” paper. It might be 
more accurate to say that he was consumed by the formulas 
missing from that cryptologic manifesto. While the two 
Stanford researchers had indeed presented a mathematical 


outline for a new way of passing secret messages—and also 
digitally “signing” messages so that a communication could 
be definitively associated with its author—when it came to 
an implementation that one could really use, they’d come 
up dry. The Diffie-Hellman key exchange approach allowed 
two parties to set up a common key, but there was no 
obvious way that it could be extended to signatures. 
(Merkle’s not-yet-published knapsack solution also fell short 
of this.) Diffie and Hellman had speculated on various ways 
that one might eventually come up with a workable system 
where each individual could have his or her own key pair, 
one public and one kept secretly. But without the proper 
mathematical scaffolding, it was really nothing more than a 
suggestion. It all hinged on finding sufficiently powerful 
one-way functions. Was there indeed a set of these that 
could stand as the reliable scaffolding of a volks- 
cryptosystem? A set of functions so sound that the system 
based on them would be impervious to all sorts of 
eavesdroppers and codebreakers, even highly motivated 
ones equipped with high-speed computers, deep 
cryptographic experience, and a touch of genius 
themselves? 


Answering those questions became Rivest’s obsession. 
Though the mathematical component of the quest was 
exciting in itself, the process was charged with a thrilling 
frisson, in that a successful solution could potentially kick 
off an entirely new kind of commerce—business done over 
computer networks. This is important, Rivest thought, and 
immediately began evangelizing the challenge to his 
colleagues. 


Leonard Adleman was the first one to fall victim to 
Rivest’s exhortations. He was a young mathematician who 
also split his time between the computer science lab and 
the math department. One day that December, he recalls, 


he walked into Rivest’s office just a few doors down from his 
own at Tech Square. “Did you see this paper?” Rivest asked. 
“It shows how you can build this secret code, where if I 
wanted to send you something and we wanted it to be 
secret, and somebody was listening .. .” 


As Rivest gushed about the workings of public key, 
Adleman asked himself, Do I care about this? Unlike Rivest, 
Leonard Adleman worshipped theory, pure and simple. He 
often thought about Gauss, Euler, Fermat... giants of 
previous centuries who had discovered the foundations of 
mathematical truth, blue-sky brainiacs without regard for 
any practical applications their constructs may have had. 
These geniuses were as gods to Adleman, and he longed for 
nothing less than to play in the same arenas of pure mind. 
This stuff about cryptography that so excited Rivest 
sounded to Adleman like some problem about how to build 
a better automobile or something. Not the sort of 
intellectual gauntlet that a math god like Carl Friedrich 
Gauss would have jumped at. So Adleman waited patiently 
until Rivest was finished, then remarked, “That’s very 
interesting, Ron.” And changed the subject. 


Rivest had more luck with another recent addition to 
MIT’s computer faculty. Just that month, Adi Shamir, a rail- 
thin, witty Israeli, had arrived at MIT for a visiting 
professorship in the Laboratory for Computer Science. 
Shamir was having a hectic time. Though he was a world- 
class mathematician, he had yet to learn much about 
computer algorithms. So he had been unhappily surprised 
when, several weeks earlier, Rivest had sent him a letter “to 
discuss the contents of the advanced algorithm course you 
will teach this spring term.” Shamir winced: bad enough an 
algorithm course—but an advanced one? To doctoral 
candidates? Fortunately, Shamir was a lightning-quick 
study. As soon as he arrived at Tech Square he zoomed to 


the library and checked out a shelf full of books on the 
subject; in the next two weeks, he learned everything he 
needed to know about algorithms. It was sometime during 
that remedial reading period that his new colleague, Ron 
Rivest, popped into his office and enlisted him in the effort 
to implement public key cryptography. 


Once he got a look at it, Shamir agreed with Rivest that 
the Diffie-Hellman paper was significant. Not that it was 
groundbreaking from a mathematical point of view. He 
figured that if you took anyone experienced in number 
theory and tried to explain the Diffie-Hellman scheme to 
him, it would have taken exactly two minutes. The novelty 
was how the Stanford guys took something that had 
absolutely no relation to cryptography in the past and 
suddenly applied it to a new field. Shamir quickly became 
Rivest’s partner in the search for the perfect mix of one-way 
functions. 


As the winter progressed, Rivest and Shamir became 
friends; with Adleman they formed a jolly threesome. 
Adleman, at first almost as a social concession, joined in the 
algorithmic hunt. “We were roughly the same age, we were 
all in the same discipline, and we liked each other, so we 
became not only colleagues and collaborators but hung out 
all the time,” Adleman says. Adleman and Shamir were 
bachelors, and Rivest’s more domestic existence served as a 
sort of anchor to the group, both at work and in his home in 
Belmont, a warm, open apartment with access to a nice 
yard. (Adleman lived in an apartment in Arlington and 
Shamir had a place in Cambridge.) As the weeks 
progressed, the young men, with adjoining offices on the 
eighth floor of Tech Square, began working seriously on 
their quest. 


Not surprisingly, Rivest was the most focused of the 
group. Though he taught classes during this period, his 
mental efforts never strayed far from crypto. “Whatever 
Ron decides to do, he does extremely well,” says Adleman. 
“If he decided, say, to start building rocket ships, I’d put my 
money on it that in five years he’d be one of the five best 
rocket builders on earth.” Shamir was similarly dogged. 
“Adi’s like an intellectual lion; you just throw some meat in 
front of him and he’ll chew it up,” says Adleman. 


Adleman himself acted as more of a foil. Of the three, he 
was the one who most looked and acted like a classic, 
dreamy mathematician—the kind of shaggy-haired young 
guy who would be the helpless prey of a wacky heroine in a 
screwball comedy (by the end of the movie, though, we’d 
learn that he had his own devilish streak). Perhaps once or 
twice a week, Rivest and Shamir would come up with a 
scheme, and then present it to Adleman, the group’s Mr. 
Theory, who would then set about to identify its flaws and 
break the scheme, sending the other two mathematicians 
back to the blackboard. To Adleman the exercise was like 
swatting flies, and not much more intriguing. Even weeks 
into the project, he was convinced that the whole project 
was not really worth his effort—it was too grounded in the 
real world. He understood that both his friends had this 
sense that the potential practical applications made the 
quest desirable. That didn’t matter to Adleman. He loved 
math because its beauty transcended earthly concerns. 


At first, every scheme they came up with was easily 
obliterated by an Adleman attack. Frustratingly so. “We 
experimented with a lot of different approaches, including 
variations on things that Diffie and Hellman suggested,” 
says Rivest. “We weren’t happy with the approaches we 
came up with.” At one point, they got so discouraged that 
they wondered whether an answer existed at all. Maybe 


Diffie and Hellman’s apparent breakthrough was a dud. So 
for a little while, they switched gears and attacked the 
problem from the opposite end, trying to come up with a 
proof to show that public key cryptography was impossible. 
“We didn’t get very far at that,” says Rivest. 


In February, the three MIT mathematicians went to the 
Killington ski resort in Vermont. It was definitely a working 
holiday. Even as the three computer scientists tried to teach 
themselves to ski, their minds were never far from the 
problem. For Shamir, and even more for Rivest, it was 
almost a biological drive; Adleman was literally along for 
the ride. “All the way up in the car, around the fire, riding 
the ski lifts, that’s what they were talking about, so that’s 
what I was talking about,” he says. Of course, when actually 
schussing down a mountain on skis, they couldn’t continue 
the discussion—so they thought about it. Shamir later 
recalled, only half facetiously, that they settled into a 
routine of each racing down the hill for a half hour devising 
a new public key cryptography scheme. And then the others 
would break the scheme. On only the second day that the 
Israeli had ever been on skis, he felt he’d cracked the 
problem. “I was going downhill and all of a sudden I had the 
most remarkable new scheme,” he later recalled. “I was so 
excited that I left my skis behind as I went downhill. Then I 
left my pole. And suddenly . . . J couldn’t remember what 
the scheme was.” To this day he does not know if a brilliant, 
still-undiscovered cryptosystem was abandoned at 
Killington. 


In a way, their difficulties were only to be expected. Why 
would anyone think that three young computer science 
assistant professors could ever come up with a sound 
cryptosystem, let alone a bulletproof scheme that for the 
first time in history allowed people to communicate with 
each other in total secrecy without having to make 


arrangements beforehand? A reasonable mind would 
conclude that this could only be done by someone intimately 
familiar with the field. If you had a magical instrument that 
measured cryptographic knowledge, the combined 
experience of the MIT Three wouldn’t have moved the 
needle even a tickle. 


But such ignorance was perhaps their most valuable 
asset. “We were extremely lucky,” Shamir later said. “If 
we’d known anything about cryptography and known about 
differential sequences and Lucifer and DES we probably 
would have been misled into expanding those ideas and 
using them for public key cryptography. But we were rank 
amateurs—we knew nothing about cryptography. And asa 
result we were just exploring the ideas we were taught at 
university.” 


These ideas were a mathematical grab bag that 
suggested all sorts of possibilities—everything from linear 
algebra to equation sets. And they went through them all. 
Generally they’d meet in Rivest’s office, scrawling equations 
on the blackboard. Someone would come up with an idea 
and they’d think about it for a while, and then maybe they’d 
see a flaw with it. “Sometimes I would break my own 
scheme, or Adi would break his, or I would break Adi’s,” 
says Rivest. The more promising possibilities would go to 
Adleman, who, despite his initial lack of interest, was 
developing quite a talent for locating, then tugging at, the 
threads that would unravel a given scheme. 


Eventually, they found a system that looked like it might 
fly. It was about the thirty-second candidate. Adleman 
immediately thought this one looked more interesting than 
the predecessors. He pulled an all-nighter before he broke 
it—“It took real research to break it, as opposed to 
observation,” he says—and discovered that he had mixed 


feelings about his success. He was now hooked, too. 
(Several years later, some researchers published a paper 
proposing an almost identical scheme, only to be 
embarrassed when other mathematicians rediscovered 
Adleman’s “scheme 32” attack.) 


By then their solutions were beginning to utilize the idea 
of a promising one-way function: factoring. Though Knuth 
had suggested this to Diffie and Hellman, the Stanford 
researchers hadn’t followed up on it; by coincidence, Rivest 
was settling on his former mentor’s hunch. 


Once again, factoring is a mathematical problem tied to 
the use of prime numbers. A prime number, of course, is 
one that cannot be arrived at by multiplying two numbers 
together (the lone exception being the prime itself and the 
number one). If you multiply two large primes together, 
then, you get a much larger number that isn’t a prime. To 
factor that number, you have to somehow reverse the 
process, identifying the two original seeds that produced it. 
This had been understood as a hard problem ever since a 
few years before Christ’s birth, when Eratosthenes of 
Alexandria devised a mathematical process called a “sieve” 
to try to perform this task. At that time, people considered 
factoring to be virtually the same problem as trying to 
figure out whether a number was a prime or not. Twelve 
hundred or so years later, Fibonacci improved the method 
somewhat, but by no means did he offer a way to 
reasonably break down a large product into its two parent 
primes. When Gauss in 1801 recognized that factoring and 
finding primality were two different problems, he identified 
the former conundrum as a vexing but critical challenge: 


The problem of distinguishing prime numbers 
from composite numbers and of resolving the 


latter into their prime factors is known to be 
one of the most important and useful in 
arithmetic. ... The dignity of the science itself 
seems to require that every possible means be 
explored for the solution of a problem so 
elegant and celebrated. 


Gauss never did find an efficient solution to the factoring 
problem, and no one else did either, though no proof 
existed that a solution was impossible. Not that it was a 
very hot topic in the mid-1970s. “Factoring at the time was 
not a problem that people cared about very much,” Rivest 
says. “Publications were few and far between.” 


Still, as the MIT Three continued trying different 
variations of schemes to implement the Diffie-Hellman 
concept, they became increasingly drawn to using factoring 
in their system. 


On April 3, 1977, a graduate student named Anni Bruce 
held a Passover seder at her home. Rivest was there, and 
Shamir, and Adleman. For several hours ideas of 
mathematical formulas and factoring were put aside for a 
recapitulation of the escape of the Jewish people from 
Egypt. As is customary with seders, people downed a lot of 
wine. It was nearly midnight when Rivest and his wife 
returned home. While Gail Rivest got ready for bed, Ron 
stretched out on the couch and began thinking about the 
problem that had consumed him and his colleagues for 
months. He would often do that—lie flat on the sofa with his 
eyes closed, as if he were deep in sleep. Sometimes he’d sit 
up and flip through the pages of a book, not really looking, 
but reworking the numbers. He had a computer terminal at 
home, but that night he left it off. “I was just thinking,” he 
says. 


That was when it came to him—the cognitive lightning 
bolt known as the Eureka Moment. He had a scheme! It was 
similar to some of their more recent attempts in that it used 
number theory and factoring. But this was simpler, more 
elegant. Warning himself not to get overexcited—Shamir 
and Adleman, after all, had broken many of his previous 
proposals—he jotted down some notes. He did allow himself 
the luxury of saying to his wife that he’d come up with an 
idea that just might work. He doesn’t remember phoning 
the guys that night. Adleman, though, insists that he 
received a call sometime after midnight. 


“Tve got a new idea,” Rivest announced, and explained it. 


Essentially, Rivest’s idea was to strip the factoring 
problem down to almost naked essentials. A public key is 
generated by multiplying two large (over 100 digits), 
randomly chosen prime numbers. Easy. Then another 
simple step (if you have a computer): randomly choose yet 
another large number, one that had certain easy-to- 
calculate specified properties. This would be known as the 
encryption key. The complete public key consists of both 
that encryption key and the product of those two primes. 


Rivest then provided a simple formula by which someone 
who wanted to scramble a message could use that public 
key to do so. The plaintext would now be ciphertext, 
profoundly transformed by an equation that included that 
large product. Finally, using an algorithm drawn from the 
work of the great Euclid, Rivest provided for a decryption 
key—one that could only be calculated by using the two 
original prime numbers. Using the decryption key, one 
could easily revert the ciphertext to the plaintext message. 


Thinking of it another way, on its way to ciphertext, the 
original message was intimately intertwined with the 


product of the two primes. What made the information in 
the plaintext unreadable was a mathematical 
transformation involving that large product—a 
transformation that could only be reversed if you knew 
what those two primes were. Then everything would 
become clear. 


Some of the mathematics of the decryption key—which 
works as the private key in this system—was derived from 
the work of another legendary mathematician, Leonhard 
Euler, who in 1763 devised an equation that dealt in the 
remainders of numbers obtained after dividing whole 
numbers. Almost two hundred years after its Swiss inventor 
first conceived it, an idea that had been deemed valuable 
only in theoretical math had found an application in the 
real-world mechanics of codemaking. 


The scheme satisfied all of Diffie and Hellman’s 
requirements. A user could confidently broadcast a public 
key, because its essential component was only the product 
of the two primes. If snoops wanted to unscramble an 
intercepted message that had been encrypted with the 
public key, that information would be useless. In order to 
cook up a decryption key, they’d need the original primes. 
How could they do that? Only by factoring, and even Gauss 
couldn’t crack that nut. This was the beauty of the one-way 
function: easy to do if you’re going in the right direction, 
next to impossible if you approach it from the wrong end. If 
the people using the system used primes as big as Rivest 
was specifying, factoring that product would require 
hunkering down with some supercomputers for a long 
winter—and for some billions of winters thereafter. As long 
as factoring remained difficult, this new scheme was 
secure. 


The scheme wasn’t limited to encryption, either. If you 
used the decryption (private) key to scramble a number, 
that jumbled result could be unscrambled by using the 
encryption key and the product of the primes—the public 
key. Since only the owner of the closely held private key 
could do this, this process would reliably authenticate the 
source of the message. What Diffie and Hellman had first 
imagined now seemed real: a solid formula for digital 
signatures, the enabler for new kinds of commerce, and a 
means to establish trust on an electronic network. 


The formulas sounded beautiful to Adleman. It was a 
much less messy system than any they’d been dealing with. 
Others had used relatively convoluted schemes involving 
multiplication, division, addition. But Rivest had hit the 
target dead on. “I think that’s it, Ron,” said Adleman. “I 
think that’s going to work.” But Adleman, too, held off on 
popping a champagne cork. Too often, midnight excitement 
dissipates when a scheme is examined in cold morning 
light. 


When morning broke, though, the elegance of Rivest’s 
solution hadn’t dimmed. When the three researchers 
convened in Tech Square as usual, a flushed and breathless 
Rivest presented a manuscript to his colleagues with the 
whole shebang written out in a near-publishable format. It 
was signed Adleman, Rivest, Shamir. “I looked at this,” said 
Adleman, “and it was the description of what he’d said the 
night before.” He felt it was Rivest’s breakthrough, not his. 


“Take my name off,” he said. “It’s your work.” 


Rivest insisted that it was a joint project, that Shamir’s 
and Adleman’s contributions were crucial, that the scheme 
was the final point in an evolutionary process. To Rivest, it 
was as if the three of them had been in a boat together, all 


taking turns rowing and navigating in search of a new land. 
Rivest might have stepped out of the boat first, but they all 
deserved credit for the discovery. Still, Adleman objected 
again. Maybe Shamir had contributed conceptually, but 
Adleman had mostly stuck pins in various algorithmic trial 
balloons. No way he could take credit. 


Rivest urged Adleman to reconsider overnight. “So I went 
home and thought about it,” said Adleman. He was, after 
all, a logical man. Though he felt in his bones that he didn’t 
deserve to share credit, he knew that as an aspiring 
academic, any publication credit might help when he came 
up for tenure. And after all, breaking their “Scheme 32” 
hadn’t been trivial. What if he hadn’t been around to break 
it, and Rivest and Shamir had gone on to publish a faulty 
paper—they certainly would have looked like morons if 
some pimply grad student cracked their scheme. Given that 
he had made a contribution, why fight Ron on the matter? 
After all, Adleman thought, it wasn’t as if this was a paper 
anyone would actually see. “I thought that this would be the 
least important paper my name would ever appear on,” he 
recalls. So Adleman agreed to keep his name on it, if it were 
listed last. Meanwhile, Adi Shamir agreed with Adleman 
that Rivest’s name should go first. This order determined 
the name of the algorithm itself: RSA. 


With input from his collaborators, Rivest quickly turned 
his original draft into MIT/Laboratory for Computer 
Sciences Technical Memo Number 82: “A Method for 
Obtaining Digital Signatures and Public Key 
Cryptosystems.” It was dated April 4, 1977. Though 
Adleman might still have dismissed the outcome as 
mathematically unimportant, a quick glance at the “key 
words and phrases” offered for indexing purposes 
demonstrated that this was at the least an unusual effort for 
three number crunchers from MIT. In fact, the words 


offered a remarkable blueprint for a network society that 
would not be widely discussed for twenty years: 


. . . digital signatures, public key cryptosystems, 
privacy, authentication, security, factorization, 
prime number, electronic mail, message- 
passing, electronic funds transfer, cryptography. 


With fanfare reminiscent of the Diffie-Hellman work that 
had first triggered the project, the paper’s first words 
proclaimed, “The era of electronic mail may soon be upon 
us; we must insure that two important properties of the 
current ‘paper mail’ system are preserved.” These 
properties were that messages remain private and able to 
be signed. And then the authors promised to unveil a means 
by which these characteristics, long accepted as only the 
domain of hard copy, could be used in the coming, 
networked era. 


The paper was also notable for a more whimsical touch. 
Instead of what had been the standard form of delineating 
the recipient and sender of a message by alphabetic 
notation—A for the sender, B for the recipient, for instance 
—Rivest personified them by giving them gender and 
identity. Thus the RSA paper marks the first appearance of 
a fictional “Bob” who wants to send a message to “Alice.” As 
trivial as this sounds, these names actually became a de 
facto standard in future papers outlining cryptologic 
advances, and the cast of characters in such previously 
depopulated mathematical papers would eventually be 
widened to include an eavesdropper dubbed Eve and a host 
of supporting actors including Carol, Trent, Wiry, and Dave. 
The appearance of these dramatis personae, however 
nerdly, would be symbolic of the iconoclastic personality of a 


brand-new community of independent cryptographers, 
working outside of government and its secrecy clamps. 


Despite their confident language, Rivest wasn’t sure how 
significant the discovery was. “It was unclear at the time 
whether [the scheme] would be broken within a few 
months,” he says. “It was also unclear whether there were 
better approaches.” Still, he initiated a journal publication 
process, with an eye to the Communications of the ACM, 
where he was a contributing editor. He sent copies to 
colleagues for peer review. One to Don Knuth. And, in his 
first contact with the authors of “New Directions in 
Cryptography,” on whose system his own was built (a 
connection made explicit in his paper), he sent one to 
Whitfield Diffie and Martin Hellman. (Rivest later explained 
that among researchers it is not particularly unusual for a 
group of academics to build upon previous work without 
notifying the original team until a result is obtained.) 


There were still some things that needed to be nailed 
down before the paper was submitted to a journal. One of 
them was definitively pinpointing the current state of 
factoring—the system, after all, relied on the difficulty of 
extracting two long primes from their product. Through 
Marty Hellman, they got in touch with Rich Schroeppel, the 
former MIT hacker whom Diffie had visited on his 
transcontinental crypto adventure. (Ironically, Schroeppel 
had been pessimistic about the prospect of cryptosystems 
based on one-way functions.) Schroeppel was among the 
few people on earth still doing very serious thinking on 
factoring. 


Schroeppel now was ready to discard his skepticism of 
one-way functions and was eager to contribute. After 
reading what Don Knuth had offered as the best available 
formula for factoring, Schroeppel had done a timing 


analysis of it and had a deep realization of how truly knotty 
the problem was: no matter how you tackled it, it seemed 
that the work required to factor something was many, many 
times larger than the effort expended on the initial 
multiplication. “I think it was the first time anybody had 
looked at how hard it was to factor,” he says. Schroeppel 
was impressed with the RSA paper and sent some 
suggestions, including an analysis of how long it would take 
the fastest factoring scheme (an unpublished one by 
Schroeppel himself) to crack keys. Conclusion: plenty long 
enough for a good cryptosystem. 


Rivest also sent a paper to Martin Gardner, who wrote the 
“Mathematical Recreations” column for Scientific 
American. “He was always writing these columns about big 
numbers, and looking for primes,” says Rivest. Gardner had 
a loyal following among both amateur figure twiddlers and 
serious mathematicians: it was not unusual for one of his 
monthly dispatches to catapult a hitherto obscure problem 
into an international obsession. 


On April 10, 1977, less than a week after Rivest’s 
breakthrough had occurred, Gardner wrote back. “Your 
digital signature scheme is indeed fascinating,” he wrote. 
“The whole idea behind it is new to me, and I think a very 
interesting column could be written around it.” He invited 
Rivest to explain the scheme to him personally. 


An excited Rivest headed out to Gardner’s home in 
Hudson, New York. Gardner was an old-school gentleman 
and something of a scamp. The columnist performed a few 
card tricks; years later Rivest was still wondering how the 
hell he did them. The magic show completed, Gardner 
asked for examples of how the RSA system worked, and it 
was Rivest’s turn to produce magic. Eventually they 
decided to offer a challenge to readers of the column. 


Rivest would generate a public key of 129 digits and use it 
to encode a secret message. If the system worked as 
promised, no one in the world would be able to read that 
message, with two exceptions. One would be someone who 
had both a powerful computer set to break the message 
with brute force and a very large amount of time on his 
hands: if the computer was, for instance, a million-dollar 
PDP-10, the effort would take somewhere in the 
neighborhood of a quadrillion years. (This estimate, 
provided by Rivest on an apparent misinterpretation of 
Schroppel’s factoring time analysis, was an error on his 
part; what he meant to say was that it would take merely 
hundreds of millions of years to crack the code by 
calculation. Still not an undertaking for mortals.) The other 
exception, of course, was the person holding the private key 
match to that particular 129-digit public key. That person 
could decode the message in a few seconds. 


And if the RSA system didn’t work as promised? Then 
some bright, motivated reader might figure it out. In that 
case, Rivest, Shamir, and Adleman would present that 
person a $100 prize. And the RSA system would be given a 
quick funeral, as it would be useless for protecting people’s 
privacy and authenticating their identities. 


Gardner’s column appeared in the August 1977 edition of 
Scientific American. It was spiked throughout with 
enthusiasm for the achievement of the three young MIT 
scientists. Gardner, in fact, predicted that the 
breakthroughs by Diffie-Hellman, and then RSA, meant an 
end to an entire era of codebreaking: “[They are] so 
revolutionary,” he wrote, “that all previous ciphers, 
together with the techniques for cracking them, may soon 
fade into oblivion.” From now on, he wrote, armed with RSA 
and similar systems, we would enter a golden age of secure 
electronic communications, where all messages could be 


secure, unreadable even by the masters of cryptanalysis. In 
fact, Gardner used the moment to declare void Edgar Allan 
Poe’s contention that “human ingenuity cannot concoct a 
cipher which human ingenuity cannot resolve.” In 
Gardner’s view, the ingenuity of the Stanford and MIT 
“outsiders” had concocted that very cipher. The columnist, 
while excited by the discovery, confessed to a wistfulness at 
the new reality, where the spy vs. spy aspects of encryption 
would be relegated to antiquity. “All over the world there 
are clever men and women, some of them geniuses, who 
have devoted their lives to the mastery of modern 
cryptanalysis... .” he wrote. “Now these people are 
standing on trapdoors that are about to spring open and 
possibly drop them completely from sight.” 


Gardner completed the column by printing the message 
encoded by Rivest with the RSA system using a 129-digit 
key, inviting anyone to try his or her luck, skill, and 
cryptanalytic prowess at breaking the code. Readers were 
invited to begin the process, or simply learn more about the 
system, by sending a self-addressed, stamped envelope to 
MIT and requesting a copy of the technical paper. 


Though the three professors were all on summer break, 
the secretaries at Tech Square could attest to the instant 
impact of Gardner’s column—thousands of letters began 
pouring in. When Shamir finally returned to Cambridge 
after spending the summer backpacking in Alaska, he 
encountered a near avalanche as the stacks of envelopes 
that had been stored in his office engulfed him on his way to 
his desk. 


But that was only the first indication of the excitement 
that Gardner’s column inspired. This was the first public 
notice of the movement that began with Whit Diffie’s 
iconoclastic quest, and it seemed to have unleashed all the 


pent-up frustrations of anyone who once had been 
temporarily obsessed with the dark art of codes, only to 
have sublimated that attention elsewhere, since all the good 
stuff in the crypto world existed only behind the Triple 
Fence or, perhaps, its international counterparts. Reading 
Gardner’s account of what seemed like a turning point in 
this history of cryptography—not only in terms of what the 
tools were but who had forged them—was like the sun 
breaking through after decades of gray gloom. 


Len Adleman first saw the evidence of this that August, 
when he was browsing in a bookstore in Berkeley. Waiting 
to pay for his purchase, he overheard a conversation 
between a clerk and a customer buying a new copy of 
Scientific American. “Did you see the thing in here about 
this new code system?” asked the customer. 


“Yeah, I read about it,” said the clerk. “Isn’t it wild?” 


Adleman could not contain himself. “That’s the stuff we 
did,” he exclaimed, identifying himself as one of the three 
MIT professors in Gardner’s column. When the magazine 
buyer understood that Adleman was on the level, he held 
out the issue. “Would you sign this for me?” he asked. 


As an instrument of crypto’s liberation, Len Adleman was 
suddenly being asked for autographs a la Tom Cruise. Even 
Fermat hadn’t gotten that kind of treatment! 


And what about the people who were supposedly 
standing on those trapdoors Gardner mentioned—namely, 
the codemakers, codebreakers, analysts, and outright 
spooks who disappeared each day into the Cone of Silence 
at Fort George Meade? How did they view the work of 
Rivest, Shamir, and Adleman and the advances of Diffie and 
Hellman? 


As one might expect: with sheer horror. 


The midseventies had already been traumatic for the NSA. 
For twenty-five years, its relationship with Congress had 
proceeded with nary a legislative speed bump. The agency 
addressed only the few representatives who sat on 
Classified intelligence oversight committees. After briefing 
sessions held in shielded rooms swept for bugs, the 
legislators routinely rubber-stamped all of The Fort’s 
requests. But in 1975 and 1976, the NSA found itself the 
focus of a fearlessly insolent investigation of its 
eavesdropping practices by Senator Frank Church’s 
Intelligence Committee. The committee was shocked to 
discover the extent of the NSA’s snooping efforts, 
particularly a strategy called Project Shamrock that 
included surveillance of American citizens. Church was 
incensed at the agency’s blithe insistence that such 
eavesdropping, performed without benefit of warrants, was 
still within its authority. The senator’s final report 
concluded with an almost biblical admonition on what could 
happen if the agency continued on its course without 
restraint, warning that its monitoring capabilities “could at 
any time be turned around on the American people and no 
American would have any privacy left, such [is] the 
capability to monitor everything. ... There would be no 
place to hide.” While the NSA avoided any serious 
repercussions, this “indecent exposure” (as described by an 
NSA official in an internal memo) was sobering. 


The wiser heads of the NSA obviously knew that if there 
was ever a time to lie low, this was it. Still, Diffie-Hellman’s 
work, and its alarmingly practical follow-ups, represented 
an encroachment into what the NSA had regarded as its 
birthright: the domination of cryptography. This was 


something that the agency could not ignore. After all, if 
people had access to the means to encrypt their private 
communications, there could be a place a hide—and a 
universal means to privacy was exactly what an agency 
charged with eavesdropping is hell-bent to prevent. Though 
the realization of a such a threat to its mission was slow to 
filter through the complex bureaucracy at Fort Meade, 
clearly some officials recognized the problem. As early as 
1975 the NSA began to work behind the scenes (where 
else?) to restrict the nascent academic field. 


Its first efforts were directed at the National Science 
Foundation. The NSF was an independent government 
agency designed to foster research into all sorts of scientific 
inquiries; it was extremely common for mathematicians and 
computer scientists to have work funded, at least in part, by 
NSF grants. (These would come to include Diffie, Hellman, 
and the RSA team.) In June 1975, the NSF official in charge 
of monitoring such grants, Fred Weingarten, was warned 
that the NSA was the only government agency with the 
authority to fund research on cryptology. Weingarten was 
alarmed that he may have been breaking the law. So he 
held off awarding any new grants while he sought to clarify 
the matter. 


What he found was interesting. Neither the NSF lawyers 
nor the National Security Agency itself, when pressed for 
documentation, could come up with any statutory 
justification for the agency’s claim. So Weingarten felt free 
to ignore the warnings and resume his grants. 


Marty Hellman, for one, always appreciated Weingarten’s 
backbone. “When the NSA told him that he couldn’t fund 
cryptography, that the NSA had a monopoly on that 
funding, Fred not only was courageous but he handled it 
very well,” says Hellman. “He didn’t say, ‘You’re full of shit,’ 


but asked them to put it in writing so he could take it to his 
counsel for an opinion.” 


But then came the Diffie-Hellman paper, followed by the 
RSA discovery. Together, of course, these created the 
underpinnings for the NSA’s worst fear: a communications 
systems where everyone used a secure code. So it seemed 
hardly a coincidence that on April 20, 1977—barely three 
weeks after Rivest dashed off his MIT technical memo—the 
NSA‘s assistant deputy director for communications 
security, Cecil C. Corry, ventured from Fort Meade to the 
capital to meet with Weingarten. He was accompanied by a 
colleague. Once again the officials attempted to ax any NSF 
grants that might involve crypto, invoking what they 
portrayed as a presidential directive giving them “control” 
over such research. Weingarten reminded them of his 
previous experience, which established that no such 
directive was ever issued. While he did agree to forward 
relevant proposals to the NSA so that the security agency 
could offer a technical evaluation to use in considering the 
grant, he insisted that the process be conducted openly, 
with no decisions made under the shroud of silence. 


The NSA people weren’t happy with that compromise, 
offhandedly remarking to Weingarten that “they would have 
to get a law passed”—presumably to ban such academic 
research unless the Diffies, Hellmans, and Rivests of the 
world were willing to deep-six their work under the 
Classified seal. Later, Corry wrote to John R. Pasta, 
Weingarten’s boss, thanking him for a concession that the 
NSF never made—agreeing to consider “security 
implications” when evaluating grant proposals. Pasta made 
it clear that the NSF made no such promise. 


In a memo he wrote at the time, Fred Weingarten 
summarized his views of the agency’s motives: 


NSA is in a bureaucratic bind. In the past the 
only communications with heavy security 
demands were military and diplomatic. Now, 
with the marriage of computer applications with 
telecommunications ... the need for highly 
secure digital processing has hit the civilian 
sector. NSA is worried, of course, that public 
domain security research will compromise some 
of their work. However, even further, they seem 
to want to maintain their control and corner a 
bureaucratic expertise in this field... . 

It seems clear that turning such a huge 
domestic responsibility, potentially involving 
such organizations as banking, the U.S. mail, 
and cable televisions, to an organization such as 
NSA should be done only after the most serious 
debate at higher levels of government than 
represented by peanuts like me. 


Clearly, NSA wasn’t going to slink away. 


As the skies darkened inside the Beltway, the MIT 
professors, crypto virgins all, were unaware of anything but 
sunshine. They certainly didn’t know of anything in the 
nation’s export laws and agreements that could conceivably 
affect the dissemination of their work. They had no idea 
that while the first half of 1977 was marked by their major 
contribution to the field of cryptography, the latter portion 
of that year would be marked by the government’s efforts 
to stop people from knowing about such work. 


That summer a letter dated July 7, 1977, arrived at the 
New York offices of the IEEE, addressed to E. K. Gannett, 
the staff director of the organization’s publications board. “I 
have noticed in the past months,” the correspondent began, 


“that various IEEE groups have been publishing and 
exporting technical articles on encryption and cryptology— 
a technical field which is covered by federal 

regulations. ...” There followed detailed citations, down to 
the proper subsections of individual regulations that may 
have already been violated, not only by the publishing of 
certain articles in IEEE publications, but at various 
symposia sponsored by the group, including the event in 
Ronneby, Sweden, where Hellman had first presented 
public key crypto. As further documentation, the letter 
writer included photocopies of “a few pages of the relevant 
law,” namely the International Traffic in Arms Regulation 
(ITAR) code. These regulations were drawn to “control the 
import and export of defense articles and defense services.” 
While people like Ron Rivest had always assumed that 
defense articles were things like nuclear detonating 
devices, Stinger missiles, and aircraft carriers, it turned out 
that these “instruments of war” were joined on the United 
States munitions list by “privacy devices [and] 
cryptographic devices.” None of these was allowed to be 
shipped overseas without specific permission from the State 
Department. Furthermore, these restrictions did not cover 
merely the actual devices, but any “technical data” covering 
these “weapons.” This was defined as “any unclassified 
information that can be used .. . in the design, 

production ... or operation” of a restricted weapon. If you 
disseminated that information to a foreign national, or even 
allowed such a person to get his or her hands on your 
matériel (so to speak), you were in violation of the law—an 
enemy of the state. 


The letter writer noted that in October the IEEE planned 
an International Symposium on Information Theory at 
Cornell that would include papers on encryption. Under 
current law, he warned, such presentations or publications 
were restricted, and if preprints were sent abroad, “a 


difficulty could arise, because, according to ITAR, an export 
license is required.” His implication seemed to be that such 
a violation of the law could lead to fines, arrests, and even 
jail terms. At the Ronneby conference, the letter darkly 
noted, “this formality was skipped.” 


The message was clear: You academic cryptographers 
may believe that your ideas were conceived under the 
protection of academic freedom and that your 
mathematical formulas belonged to no one but perhaps the 
God who first crunched them... but that is not the case 
when it comes to ideas and algorithms that can be used to 
encrypt information. Those ideas should be kept under 
close watch—and government control. Clearly, the letter 
implied, by allowing the Cornell conference to proceed, the 
IEEE would be illegally providing the equivalent of heavy- 
duty military equipment to our nation’s foes. “As an IEEE 
member,” the writer concluded, “I suggest that IEEE might 
wish to review this situation, for these modern weapons 
technologies, uncontrollably disseminated, could have more 
than academic effect.” 


The letter was signed by a J. A. Meyer, who identified 
himself only by his home address in Bethesda, Maryland, 
and his IEEE membership number. 


Who was this concerned member? It turns out that in 
January 1971 this same Joseph A. Meyer had written an 
article for an IEEE publication called Transactions on 
Aerospace and Electronics Systems, a paper so unusual 
that the editors felt compelled to include an introductory 
note on its controversial nature. Entitled “Crime Deterrent 
Transponder System,” it proposed a system whereby “small 
radio transponders would be attached to criminal 
recidivists, parollees, and bailees to identify them and 
detect their whereabouts.” By tagging likely lawbreakers, 


Meyer claimed, we could create “an electronic surveillance 
and command-control system to make crime pointless.” The 
biographical material described Meyer as a New Jersey 
native born in 1929 who got a math degree from Rutgers, 
spent two years in the air force in the early 1950s, and, 
from that point, “joined the Department of Defense, where 
he has worked primarily in the field of mathematics, 
computers, and communications in the United States and 
overseas.” 


Even a moderately seasoned observer could guess that 
the unspoken branch of the Defense Department was a 
three-letter agency whose name seldom appeared in print 
in 1971. Indeed, several weeks after the Meyer letter was 
received, Science magazine confirmed the rumors: Joseph 
A. Meyer worked at the National Security Agency. 


The timing of Meyer’s missive aroused deep suspicions 
about the NSA’s involvement in crushing independent work 
on crypto. It was sent almost at the moment that Vice 
Admiral Bobby Inman assumed the NSA directorship and 
began waging the very war that Meyer had declared 
against academic cryptographers. In the succeeding years, 
however, nothing has emerged to contradict Meyer’s claim 
(vociferously seconded by the NSA) that he had received no 
orders from Inman or anybody else to send his notorious 
letter. (Inman now says that on the day Meyer was writing 
his letter, he was getting a “turnover” briefing from the 
outgoing director, Lewis Allen—and the topic of public 
cryptography never even came up.) The Senate Intelligence 
Committee, looking into the matter, came to that same 
conclusion in 1978, and now even Marty Hellman believes 
that it’s probable that Meyer was simply a loose cannon. On 
the other hand, the NSA conspicuously refused to repudiate 
the letter, and Inman later asserted to Congress that he 
believed that Meyer’s comments were valid ones. 


In any case, the Meyer letter had an immediate effect. 
Certainly, the organizers of the Cornell conference took the 
letter seriously—after all, if Meyer was right, they and the 
speakers at their conference could wind up in jail for simply 
presenting their research! It turned out, however, that the 
issue of technical data and the export regulations had come 
up a decade before at the society, and, as E. K. Gannett, the 
recipient of the letter, wrote back to Meyer in a fawning 
letter dated July 20, 1977, “All IEEE conference 
publications and journals are exempted from export license 
requirements under [ITAR] Section 125.11 (a) (1).” He 
went on to cite a footnote to that section that “places the 
burden of obtaining any required government approval for 
publication of technical data on the person or company 
seeking publication.” In other words, he was saying, it’s not 
our problem—it’s the problem of those members who dare 
perform research in the field. He expressed his gratitude to 
Meyer for “bringing this potentially important question to 
our attention,” and promised to bring the problem to the 
attention of “potentially interested parties.” Sure enough, 
on the same day, Gannett wrote a memo to Dr. Narenda P. 
Dwivedi, the organization’s director of technical activities, 
suggesting that the IEEE should perhaps ensure that the 
researchers “are aware of the rules of the game.” 


On August 20, Dwivedi wrote to researchers at six 
institutions. “A concerned and good-meaning member has 
drawn our attention to a possible violation by authors of 
ITAR regulations. ... It appears that IEEE and its 
groups/societies/councils are exempt but the individuals 
(and/or their employers) have to watch out.” Dwivedi then 
offered some advice for the new breed of researchers in 
cryptography: they “should refer the paper to the Office of 
Munitions Control, Dept. of State, Washington, D. C., for 
their ruling.” 


What Dwivedi was suggesting was neatly in line with J. A. 
Meyer’s wishes. But if a researcher submitted a paper to 
the State Department, he or she would effectively yield 
control of the work to the government. As far as the MIT 
researchers were concerned, there would be, as Science 
put it, “a censorship system by the NSA over the research 
of the MIT Information Theory Group.” 


One of the recipients of Dwivedi’s letter was Marty 
Hellman. He quickly showed it to Ron Rivest, who was 
spending his summer break at Xerox PARC in Palo Alto, just 
down the road from Stanford. “It was probably my first 
realization that our work might involve sensitivities,” he 
says. As soon as he got back to MIT, a worried Rivest 
consulted the institution’s lawyers. 


Rivest, of course, was concerned about the legal 
implications of stuffing copies of Technical Memo Number 
82 into the self-addressed letters with 35-cent stamps as 
part of the Scientific American “contest.” Was distribution 
of the RSA paper to the publication’s readers an illegal act? 
Could MIT be held at fault? Could Rivest and Adleman be 
jailed? And what about Shamir—he wasn’t even a U.S. 
citizen! Could MIT be cited for distributing a paper to one 
of its coauthors? 


“The requests for our paper were from all over the 
world,” says Rivest. “Some were from foreign governments. 
It wasn’t clear to me what we should do. When you receive 
this sort of ominous note from the NSA that this stuff is 
illegal, you want to be conservative and get it checked out. 
Rivest even considered the possibility that some of the 
foreign requests for the memo might have been planted to 
entrap him under the export regulations, making him a 
poster boy for mathematicians who ventured too deeply 
into the forbidden turf of spy agencies. 
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An answer came back quickly from the MIT 
administration— don’t send out those papers until this 
mess is resolved. To their credit, however, the heads of the 
university, sensitive to principles of academic freedom, 
worked diligently to clear the path for a free distribution of 
the tech memo. Despite MIT’s long history of working with 
national security agencies, often in top-secret research, this 
wasn’t easy. This time it was dealing with the National 
Security Agency—and at least some NSA officials, now face- 
to-face with an open challenge to their crypto monopoly, 
were themselves running scared. But this time, they had 
clear-eyed foes who believed that intellectual freedom 
should not be compromised on the basis of unproved claims 
of national security. In this new academic research area, 
new ground rules would be laid and most of the major 
decisions would be made in the early days. After setting the 
precedents, the MIT researchers believed, it would be 
much harder to change things in a fundamental way. 


At Stanford, Marty Hellman also wasted no time getting 
an opinion from the university lawyers. On October 7, 
university counsel John J. Schwartz assured him that “it is 
our opinion that the dissemination of the results of the 
research you describe is not unlawful.” Of course there was 
the danger that the lawyers were wrong, and the views of J. 
A. Meyer reflected those of the federal government; if so, 
Hellman might be prosecuted for delivering his paper. 
Schwartz promised that if that were the case, the university 
would defend him. “Nevertheless,” he added, “there would 
always remain a risk to you personally of fine or 
imprisonment if the government prevailed in such a case.” 


In the end, the Cornell conference—the ostensible focus 
of Meyer’s letter—went on as scheduled, including the very 
talks that Meyer had tagged as potential violations of the 
export rules and a threat to national security. It turned out 


that the professors had more backbone than the IEEE, 
which had urged them to vet their papers with the 
government. When two of Hellman’s graduate students 
fretted over the implications of getting cited by the 
government in the tender beginnings of their careers, he 
volunteered to read their papers himself. “I have tenure at 
Stanford,” Hellman told the New York Times, “and if the 
NSA should decide to push us in court, Stanford would back 
me. But for a student hoping to begin a career, it would not 
be so pleasant to go job hunting with three years of 
litigation hanging over his head.” 


Ralph Merkle spoke at a panel discussion, too. And Whit 
Diffie, who was not scheduled to speak at the conference, 
went out of his way to give a presentation at an informal 
session. “There was no trouble at the meeting,” he says. 
“My attitude was that the Meyer letter should be ignored.” 


Meanwhile, MIT’s lawyers were still wrangling with the 
National Security Agency over the legality of stuffing Tech 
Memo No. 82 into the 7000 self-addressed, stamped 
envelopes moldering in Shamir’s office and dropping them 
off at the post office. The academics had pointed out that a 
clause in the ITAR rules put them in the clear: a specific 
exemption on “published materials.” What did The Fort say 
to that? 


“As usual with NSA, it was hard to get any complete 
answer from them,” Shamir later recalled. More to the 
point, it became increasingly clear that the NSA could not 
come up with a legal rationale for its actions. So MIT 
allowed its professors to proceed. In December 1977, halfa 
year after Gardner’s column appeared and the requests 
began tumbling in, the namesakes of the RSA algorithm 
invited grad students to a pizza and envelope-stuffing party. 


And then the papers were mailed. The RSA algorithm had 
gone global. 


Perhaps the existence of these thousands of papers 
circulating around the world, in addition to thousands of 
reprints and photocopies of the Diffie-Hellman papers, 
should have been a signal to the NSA that the crypto 
toothpaste was out of the tube, and no decrees or scare 
tactics could generate the requisite physics to squeeze it 
back in. But for the next few years the agency, perhaps 
more from reflex than an expectation of success, kept trying 
to suppress the intellectual activity in the crypto world that 
now seemed to be exploding outside the Triple Fence. 


In retrospect, the institutional behavior seems strange 
and conflicted. But what else could the NSA do? The CIA 
may have had a rich and sordid history of bag jobs, honey 
traps, and other nut-squeezing enterprises, but the Fort 
Meade culture was dramatically different. Though the 
agency had certainly stepped over the line at times (as the 
Church committee documented), the organizational ethos 
always seemed to regard heroism in terms of the highly 
intellectual tasks of sucking up signals, concocting ciphers, 
and cracking codes. During the years that Whit Diffie 
crisscrossed the nation seeking guidance in his crypto 
efforts, there hadn’t been even a veiled threat against him, 
and certainly no indication that anyone would sneak up 
behind him in a Palo Alto coffeehouse and quietly use the 
end of a doctored umbrella to inject him with some exotic, 
slow-acting poison. That just wasn’t the NSA‘s style. 


A better question would be, “Given that the law might not 
back up the agency, why bother to fight the movement 
toward research in crypto?” Surely some of the smarter 


strategists within the Triple Fence recognized that, in some 
ways at least, an independent crypto movement would not 
be so bad for Fort Meade. Who was better positioned to 
exploit the revolutionary advances in cryptography than the 
NSA, whose expertise and knowledge of the field was 
infinitely ahead of anything resembling competition in 
either the private or public sectors? 


This was the dilemma facing Vice Admiral Bobby Inman 
literally within days after he took his post as director in July 
1977. Though he had considerable experience with crypto 
as the director of naval intelligence—and years before that 
as a military recipient of signals intelligence—the idea of 
outsiders making important cryptologic advances was new 
to him. He had believed, along with most of his peers in the 
intelligence community, that “the NSA had a monopoly on 
talent,” he now says. “If there were incredibly bright people 
who wanted to work on cryptographic problems, the odds 
were high that they either worked inside the NSA, or 
worked with one of the scientific advisory groups [whose 
work was Classified].” This insurgent revolt hit him like a 
fighter sucker punched at the instant the bell rang to begin 
the fight—especially since the furor over Meyer’s letter 
drew articles in the New York Times and the Washington 
Post. Inman understood immediately that not only was this 
a new sort of threat to his agency, but that new, perhaps 
unprecedented, responses were called for. 


Nonetheless, during the first few months of Inman’s 
tenure, the NSA kept acting as if the rules had not changed. 
In October 1977, an electrical engineering professor at the 
University of Wisconsin named George Davida applied for a 
patent for a device that used mathematical techniques to 
produce stream ciphers. He had produced the plans for this 
invention without any access to classified information, and 
his funding from the National Science Foundation had no 


strings attached to require him to clear his work with any 
defense agency. The patent itself was filed in the name of 
the university’s Alumni Research Foundation, conforming to 
a process whereby the university community retains the 
bulk of any invention profits by Wisconsin professors funded 
by the NSF. Davida next heard from the government on 
April 28, 1978, not with a patent approval but with a piece 
of paper marked secascy one. The National Security Agency had 
declared his invention classified material. 


It was bad enough that the NSA had banned production 
of his device. Worse was the dilemma in which Davida found 
himself. The order put a clamp of secrecy not only over his 
device, but over the intellectual material behind the patent 
application as well. In effect, the NSA regarded Davida’s 
actual ideas as a sort of poison, a forbidden substance he 
was banned from circulating. Davida had little guidance as 
to how he might adhere to the ban, since his materials had 
already been well distributed. Was he really expected to 
follow the requirement to report all the people who might 
have seen his work—in effect, to drag his colleagues into 
this kafkaesque realm of ideas too dangerous to share? On 
the other hand, if he refused to comply with the secrecy 
order, he was subject to a $10,000 fine and two years in the 
pokey. 


Davida was not alone. On that same day in April, the NSA 
had slapped a secrecy order on the “Phasorphone,” a voice- 
scrambling device created by a team of scientists led by 
thirty-five-year-old Seattle technician Carl Nicolai. Five 
months after applying for a patent for an invention that he 
hoped would make him a fortune, Nicolai was not only 
prevented from selling his invention, but also from even 
using it. 


In spook parlance, Davida and Nicolai had become “John 
Does,” stripped not only of their work but of the credit due 
to them. As James Bamford explained in The Puzzle Palace, 
theirs were the relatively rare cases in which objectionable 
inventions were not independently discovered duplications 
of devices that already existed behind the Triple Fence but 
original creations that the government unilaterally 
regarded as too dangerous to be produced. 


But as the NSA was to learn, the days were gone when it 
could casually apply a secrecy order to the work of an 
academic or entrepreneur and have the matter closed. 
Davida and Nicolai went public, organizing well-placed 
letter-writing campaigns, educating their representatives in 
Congress, and spilling the story to the press. Davida, in 
particular, a compact, scrappy man who was disinclined to 
take the U.S. government at its word, was strident in his 
own defense. In his case, a quick meeting of university 
officials led the chancellor to write a furious letter to the 
NSF, demanding due process. The chancellor also brought 
the matter before Commerce Secretary Juanita Kreps, who 
was apparently dismayed at how easily her patent office 
could become an instrument of censorship. Meanwhile, 
Davida raged to Science magazine that the NSA’s actions 
were a form of academic McCarthyism. 


The NSA backed down. On June 13, it rescinded the 
order. Vice Admiral Inman’s later explanation, offered 
during a House hearing on “The Government’s 
Classification of Private Ideas,” was that the Davida decision 
was a mistake by a middle-level employee. 


Several months later, the restrictions on the Nicolai 
patent were also reversed. Since Inman himself had signed 
off on that secrecy order, he later offered a “heat of battle” 
excuse to the House subcommittee. “From dealing day to 


day with the Invention Secrecy Act, you have to make snap 
decisions,” he explained. Overall, he insisted that the 
problem with those two orders was “not a faulty law but 
inadequate government attention to its application.” Still, 
that double rebuke made it clear that the NSA no longer 
had free rein in using the law to keep crypto in 
government-approved sealed containers. 


By then Inman had decided to take his concerns directly 
to the institutions he was worried about. In what David 
Kahn called a “soft sell” attempt to quash work in 
cryptography, he embarked on a tour of research 
institutions. One memorable session occurred in the faculty 
club at the UC Berkeley campus, where Inman’s attempts 
at explaining his point of view were met by relentless, 
hostile questioning. “It was a dialogue of the deaf,” he says. 
Still, some comments made at the session led him to believe 
that a more productive relationship was possible. In an 
extraordinary move for an NSA director, he phoned Marty 
Hellman and asked for a meeting. “I liked him,” says Inman 
of the coinventor of public key crypto and DES’s most 
virulent critic. “I think he was impressed that I had driven 
down to see him, so his answer [to the request to begin a 
dialogue on how public crypto should be handled] was a 
tentative yes.” 


Inman tried to diffuse the most blatant of the NSA’s 
restrictive acts against researchers, many of whom believed 
that, more than ever, the NSA was trying to lure them 
behind the Triple Fence, where their findings could be 
restricted. One of those who learned this firsthand was Len 
Adleman, the once-reluctant “A” in the RSA algorithm. For 
years Adleman had been receiving research funds from the 
NSF, routinely renewing his grants every three years. In 
the first proposal he filed after being involved with the RSA 
algorithm, he included a section outlining some work 


involving mathematics that might apply to cryptography. 
After fielding the normal questions on such a proposal— 
budget questions and the like—Adleman was startled by a 
phone call from an NSF official informing him there would 
be additional changes. Specifically, the portion of the work 
that involved crypto would be funded by the National 
Security Agency. 


“T didn’t submit a proposal to the NSA,” Adleman told 
him. “I submitted it to the NSF, right?” 


The official conceded that this was so. But, he said, “It’s 
an interagency matter,” and ended the conversation. 


Adleman was incensed. He understood that there might 
be legitimate national security concerns about the direction 
of academic cryptography. (What if someone suddenly 
released a means to crack an important code?) But this was 
over the line. It meant that the country’s most secretive 
intelligence agency was influencing the premier scientific 
funding agency. “In my mind this threatened the whole 
mission of a university, and its place in society,” he says. 
Adleman decided to go public with his concerns. He called 
Gina Kolata, the reporter for Science who had been 
covering the conflict, and told her the story. 


Not long afterward, Adleman got another call—from 
Bobby Inman himself. The whole thing, explained the 
director of the National Security Agency, was a 
misunderstanding. “He was very nice,” recalls Adleman. 
The researcher wound up getting his entire grant funded 
by the NSF. 


For Inman, such compromises were in the service of 
eventually reaching some sort of détente with the 
academics that would satisfy both national security 


concerns and the researchers’ insistence on academic 
freedom. He believed that, ultimately, he held the trump 
card—one that would not only force the academics to play 
ball but also actually stem the potential tide of actual crypto 
implementations from covering the world. This winning 
hand lay in the laws known as the International Traffic in 
Arms Regulation. When Inman first arrived at The Fort, he 
told Congress at a hearing some years later, “I didn’t even 
know what an ITAR was.” But, he added, “my education 
went at a pretty fast pace.” 


Specifically, he now says, he came to realize that when it 
came to controlling crypto late in the twentieth century, 
“the whole issue is export.” Those laws were all that 
prevented a disastrous free-for-all in the distribution of 
cryptography—the equivalent of a national security 
meltdown. Inman recognized that restrictions on what 
could be shipped overseas, and the threat of prosecution if 
those laws were broken, would force people to deal with the 
NSA not only in what they were permitted to export, but in 
what they produced for domestic use. Those regulations 
would become the linchpin of the agency’s efforts to stop 
worldwide communications from becoming ciphertext. 


Ironically, the NSA’s own attempts to control private 
research about cryptography had set events in motion that 
threatened to thwart those regulations. The then-White 
House science advisor was a man named Frank Press. The 
controversy over public crypto had piqued his interest, and 
he asked the Justice Department to provide a legal opinion 
as to whether the ITAR laws violated First Amendment free- 
speech protections. The job fell to an assistant attorney 
general named John Harmon, who carefully analyzed the 
way the regulations were drafted. He discovered that ITAR 
required a license not only from arms dealers, but also from 
“virtually any person involved in a presentation or 


discussion, here or abroad, in which technical data could 
reach a foreign national.” Presentations and discussions? 
That was the First Amendment turf! On May 11, 1978, the 
Office of the General Counsel issued its opinion. It was a 
bombshell: 


It is our view that the existing provisions of the 
ITAR are unconstitutional insofar as they 
establish a prior restraint on disclosure of 
cryptographic ideas and information developed 
by scientists and mathematicians in the private 
sector. 


Inman was furious at this analysis, and he set about to 
fight it. He recruited “a brilliant new lawyer that I had 
persuaded to come work for NSA’ to argue against the 
opinion. One gambit was to claim that a recent legal 
precedent had rendered the Harmon opinion moot. Buta 
Justice official rebuffed that interpretation. “We do not 
believe that [the precedent] either resolves the First 
Amendment issues presented by restrictions of the export 
of cryptographic ideas or eliminates the need to reexamine 
the ITAR,” wrote deputy assistant attorney general Larry 
Hammond. 


Meanwhile, the NSA was treading a fine line. It was 
attempting to threaten crypto researchers who circulated 
their findings and ideas while it was fully aware that the 
Justice Department had concluded that such threats 
violated the Constitution. 


All of this wrangling was conducted out of the public eye. 
And none of it seemed to have affected the way that the 
NSA chose to interpret the export laws. So even though 
Vice Admiral Inman’s sharp young counsel was legally 


unable to overturn John Harmon’s findings, the attack 
against his opinion was effective. Because by not circulating 
its judgment in the matter, the Justice Department was 
effectively colluding with the NSA to ignore the possibility 
that its enforcement of the ITAR regulations violated the Bill 
of Rights. 


All of this came out in 1980, when the government 
operations subcommittee of the House of Representatives 
held hearings on “The Government’s Classification of 
Private Ideas.” At one point, the committee staff director, 
Tim Ingram, posed a pretty good question. “How would I 
know, as a private litigant somehow ensnarled in the ITAR 
regulations, that I am being involved in a matter that the 
Justice Department, two years previously, has declared 
unconstitutional?” he asked. A Justice official explained that 
the opinion hadn’t been offered for the benefit of such 
citizens, but simply as advice to the department itself. 


This was not acceptable to Ingram. Perhaps thinking of 
the Rivests and Hellmans who had been threatened with jail 
for presenting their papers, or the Davidas and Nicolais 
who had been confronted with secrecy orders, or all the 
current researchers like Adleman who were now 
encountering more subtle pressures, Ingram had another 
question to ask: 


You have this two-year-old opinion finding the 
regulation unconstitutional. There has been no 
change in the regulations. Is there any 
obligation on the department at some point to 
go to the president and force the issue and to 
tell the president that one of his executive 
agencies is currently in violation of the 
Constitution? 


No satisfactory answer was forthcoming. In any case, 
Bobby Inman was worried about the new movement in 
cryptography and his limited power to stem it. His worst 
fear was that public adoption of encryption “would very 
directly impact on the ability of the NSA to deliver critical 
information.” He became convinced the agency needed a 
more formal authority to regain the controls over crypto. In 
his attempt to obtain this, he did something no one in his 
place had ever done. He went public. 


His chosen venue for this debut was Science magazine, 
the most aggressive press watchdog over the past few 
years. Of course, the very fact that the interview was 
granted was news in itself. The article quoted F. A. O. 
Schwarz, who had been chief counsel in the Church 
investigation, as saying, “I’m flabbergasted. Back when we 
dealt with the NSA, they considered it dangerous to have 
even senators questioning them in closed session.” But 
there was news in Inman’s message, too—the NSA director 
was now openly extending his invitation for researchers to 
engage in “dialogue” with him and his people. “One motive 
I have in this first public interview,” he said, “is to find a way 
into some thoughtful discussion of what can be done 
between the two extremes of ‘that’s classified’ and ‘that’s 
academic freedom.’ ” But in almost the next breath, he 
conceded that if he got his way—and was able to censor 
academic research that involved national security—his 
proposed “thoughtful discussion” would probably end in “a 
debate between the Administration and the academic 
community” (one in which presumably the pissed-off college 
professors wouldn’t have much of an impact on making the 
government change its national security policy). 


A few weeks later, Inman made an even more 
extraordinary break with the NSA‘s tradition of secrecy. He 
actually delivered a public speech in defense of his agency. 


True, the venue wasn’t exactly hostile—it was the January 
1979 gathering of a trade association of electronics 
manufacturers who dealt largely in defense contracts. Yet 
the very fact that he was doing it represented a sea change 
that could provoke vertigo in even a vice admiral like Bobby 
Inman. He acknowledged this in his very first words: “A 
public address by an incumbent director of the National 
Security Agency on a subject relating to the agency’s 
mission,” he said, “is an event which—if not of historic 
proportions—is, at least to my knowledge, unprecedented.” 
In fact, just a few years previous, merely uttering the name 
of the agency would have been unprecedented. 


Now Inman was frankly admitting that the world had 
changed, and not by his choice. He referred wistfully to the 
days, only now gone, when his people “enjoyed the luxury of 
relative obscurity,” remaining closemouthed about their 
work to spouses and even office mates... the days when 
NSA “could perform its vital functions without reason for 
public scrutiny or public dialogue.” But now, in what he 
called “the encounter between the NSA and the rest of the 
world,” a new era had begun, where the NSA’s happy life 
spent “entirely in the shadows” was replaced by an era of 
“complex tensions” between the government and those 
wishing to communicate securely. Inman’s hope for his talk 
was to explain the NSA’s point of view on those tensions, the 
better for people to understand why it was, well, necessary 
to do things his way. 


Trust the NSA? Yes, said Inman. His people had gotten a 
bad rap recently, and he wanted to set the record straight. 
Did his agency cook the specifications for DES, perhaps 
inserting a trapdoor? No way. Did the NSA use export 
regulations to suppress scholarly work? Uh-uh. Exert 
influence to quash research grants? Please. The NSA, he 
insisted, was anything but “some kind of all-powerful secret 


influence.” In fact, that was the problem: while outsiders 
griped about a mighty spy agency with too much power 
over cryptography, “My concern,” said Bobby Inman, “is 
that the government has too little.” 


In a way, Inman had an excellent point; despite being the 
richest intelligence agency on the planet, the NSA was 
relatively toothless. But for its first decades of existence, 
the agency hadn’t needed laws of its own. Its advantages 
included not only the force of law but the fact that 
sophisticated cryptography was a devilishly specialized 
field, one that few people attempted to engage in, and even 
fewer could gain sufficient knowledge in to be a player. It 
was nearly inconceivable that outsiders, or even small 
governments, could compete with its fire-breathing 
computers, its world-class mathematicians, its unparalleled 
experience, its understanding of crypto history. But then 
came the Whit Diffies of the world—mathematically 
knowledgeable, with access to computers, and knowledge 
gleaned from books like David Kahn’s, books that the NSA 
had failed to suppress. Now there were dozens of them, 
academics like Ron Rivest and potential entrepreneurs like 
Carl Nicolai. These outsiders were backed by a cadre of 
civil libertarians, screeching that crypto breakthroughs 
could strike a blow to Big Brother. And suddenly, even the 
weak-hearted attempts of the NSA to stop the tide were 
being demonized on the front page of the New York Times. 
In Inman’s view, the victim was not free speech, but 
national security. 


But Inman’s proposed solution—a national sacrifice of 
free speech to preserve the national security—was doomed. 
He wanted trust. If he were to get academics to consciously 
forgo their freedom of speech, he needed trust. If trust 
were currency, though, the NSA’s balance would be roughly 
zero. It had never even bothered to open a bank account! It 


would take more than historic speeches by a sitting director 
for the NSA to figure out how to manipulate the 
increasingly out-of-control beast of nongovernmental 
crypto. 


As far as stopping academic research in cryptography, 
Inman lost that round. Despite his attempts to get Congress 
to grant the NSA legal authority to suppress publications, 
the First Amendment prevailed. Most impressively, the 
exemption in the ITAR for “technical publications” was 
clarified to the point that even a Fort Meade apparatchik 
couldn’t call it ambiguous. “Provision has been added,” 
went a 1980 revision of the rules, “to make it clear that the 
export of technical data does not purport to interfere with 
the First Amendment rights of individuals.” 


Bob Inman ultimately did forge a sort of compromise with 
the research community. At the NSA‘’s request, the 
American Council on Education organized a Cryptography 
Study Group to seek common ground. The group, which 
included both the NSA’s general counsel and a host of 
academics, including critics Marty Hellman and George 
Davida, held its first meeting in March 1980 to consider 
Inman’s proposal that some sort of statutory review process 
be imposed on private crypto researchers. The group 
rejected the idea, citing First Amendment considerations 
and the NSA’s inability to show evidence that such laws 
were absolutely necessary to defend the nation. The 
group’s alternative solution was a two-year experimental 
process by which those publishing work with relevance to 
cryptography could voluntarily submit papers to the NSA 
for review. If the NSA read the paper and felt that the 
information would somehow compromise national security, 
the researcher could consider such warnings and decide for 
himself whether or not to publish. Meanwhile, the agency 
would continue to fund the research of professionals willing 


to follow its rules, while allowing others to pursue funding 
by the NSF or any other agency. 


George Davida issued his own minority report, rejecting 
even voluntary review. He dismissed the NSA’s concerns 
outright, including its worry that research results might 
help foes crack our own cryptosystems. “This is not likely,” 
he wrote, “because researchers do not engage in 
cryptanalysis.” His conclusion was “the NSA’s effort to 
control cryptography [is] unnecessary, divisive, wasteful, 
and chilling. The NSA can perform its mission the old- 
fashioned way: STAY AHEAD OF OTHERS.” 


Nonetheless, the policy worked quite well from the point 
of view of researchers, since this meant that there was a 
way to deal with the NSA—or ignore it—without having to 
worry about getting their work deemed a government 
secret. The two-year trial period of this policy passed 
peacefully, after which the NSA quietly dropped any 
pretense of demanding a presubmission of anything 
produced by an American academic. It faithfully read 
papers in the field submitted voluntarily, and one of its 
scientists would occasionally address a question to an 
author, even pointing out a mistake here and there. It was 
all done cordially, because the NSA had no authority to go 
further than that. 


As the 1980s began, the first decade in the NSA’s 
existence when it had private competition, no one 
understood the challenge better than Bobby Inman, whose 
agency was charged with routinely intercepting foreign 
communications concerning the Iran hostage crisis and the 
Russian war in Afghanistan. He was haunted by the idea 
that one day Fort Meade would not be able to deliver such 
high-quality intelligence—because cryptosystems conceived 
and developed in the United States would be put into 


widespread commercial use. “I began to appreciate the 
export concern much more strongly,” he says. In a world 
where the basic concepts behind sophisticated encryption 
were found in public libraries and articles in Scientific 
American, and where a cryptosystem endorsed by the 
government itself—DES—was turning out to be more 
popular than the NSA expected, it was more important than 
ever to stop crypto at the border. The NSA director had it 
pegged: the whole issue is export. 


Diffie, Hellman, and the MIT trio might have broken the 
NSA monopoly, but Inman and his successors were not 
without their weapons. In a way, the war over crypto was 
only beginning. 


selling crypto 


for the next few years, tensions seemed to ease between 
the government and the newly emerging independent 
forces in the world of crypto. After Bobby Inman’s 
unsuccessful campaign to censor crypto researchers 
legislatively, the agency seemed willing to coexist with 
academics treading on turf it once had owned exclusively. 
There might have been some wishful thinking in all of this, a 
sense at the NSA that all of these greenhorn academics 
were unlikely to turn up anything that might truly threaten 
The Fort’s mission. If the bureaucrats behind the Triple 
Fence believed that, though, they were in deep denial. The 
seminal breakthroughs at Stanford and MIT had turned a 
beacon upon the imaginary crossroads of crypto, where 
mathematics, computer science, and data security met. In 
1971, when Whit Diffie wanted to talk to someone about 
crypto, he had to travel miles for morsels. A decade later, 


over a hundred members of the new crypto community 
were spending days together on a Pacific beach, discussing 
everything from cutting-edge algorithms to cryptanalysis. 


The “Crypto” conferences began in 1981, when a 
University of California at Santa Barbara electrical 
engineering professor named Alan Gersho invited about 
120 potential attendees to his campus, a sprawling 
collection of modest structures on a bluff overlooking the 
ocean. He’d gotten the names from a list Len Adleman had 
compiled of people who’d shown an interest in 
nongovernmental cryptography. Gersho had wheedled a 
grant from the National Science Foundation to stage the 
event. About one hundred people showed up, including 
Diffie, Rivest, Merkle, and other newly minted luminaries in 
Cipher Land. They delivered papers—many of them offering 
refinements on the new public key schemes like knapsacks 
and RSA—gave talks, and schmoozed at cafeteria lunches 
and a barbeque on the beach. Gersho had planned the 
conclave as a one-time gathering, and despite the 
excitement, there were no immediate plans for a follow-up. 
Not long afterward, some European cryptographers held 
an invitation-only meeting in Germany, but that was also 
designed to be a stand-alone event. 


It was a then-minor player in the Santa Barbara shindig, 
a mere graduate student, who actually took the lead in 
making sure that such meetings would be held regularly. 
His name was David Chaum, and he would not be a minor 
player in the field for long. Working with no support, he got 
a copy of Adleman’s list of crypto academics and began 
organizing a return to the beachfront campus. Chaum also 
felt that the overseas event should be repeated, but under a 
different group of leaders. He hadn’t been invited to the 
German meeting but had gotten the impression that its 
organizers were “a little off to the right.” So he talked to 


some European cryptographers about organizing an annual 
spring “Eurocrypt.” Finally, Chaum thought that both yearly 
shebangs should be under the care of an actual 
organization of independent cryptographic researchers. He 
quietly made plans to form such a group. His inspiration 
was a speech by Martin Luther King Jr. he’d once heard 
that emphasized the word “organization” as a path to 
liberation. 


Concerned about possible pressure from the NSA to 
smother his plans in the bassinet, Chaum kept his 
communications to a minimum. You never know who’s 
listening, especially in a government of snoops. He took 
care to compartmentalize the information he discussed with 
people: while he landed Ron Rivest to chair the Santa 
Barbara conference program, for instance, he didn’t share 
his plans for the crypto society with Rivest. He avoided the 
telephone, instead arranging face-to-face meetings with 
those he wanted to reach. He typeset the conference 
notices himself, and got them printed at the same small 
Berkeley type shop that produced Covert Information 
Bulletin, a well-known newsletter critical of U.S. intelligence 
activities. 


His efforts paid off: the second conference, Crypto ’82, 
turned out to be even more exciting than the first. 
Serendipitous events, like the freewheeling “rump session” 
held toward the end of the week, solidified into traditions. 
The rump sessions, usually hosted by Diffie, mixed frivolous 
parodies of mathematics papers with serious, last-minute 
cryptological developments, but the tone was often raucous 
and irreverent. One year, speakers were required to speak 
in a code that replaced certain words with silly alternatives 
(for instance, instead of “Diffie-Hellman,” you had to say 
“Coke bottle”). Missed cues were greeted with a shower of 
water. Another year, some foreign visitors took too literally 


Diffie’s announcement that there would be a special session 
before breakfast the following morning with ninety minutes 
of Belgian jokes. 


One well-anticipated session at Crypto ’82 was the 
presentation of a collection of papers on cryptanalysis, 
chaired by Whit Diffie. The very inclusion of the topic on the 
agenda couldn’t have pleased the NSA: in its view, any 
knowledge of codebreaking outside the Triple Fence 
represented a possible threat to its own codes. Diffie 
himself had been worried that the session would be a bust. 
Over the winter he had arranged for the presentations. But 
one by one, for various reasons, his presenters dropped out. 
By late spring only one survived—a talk entitled “The 
Bombe at Bletchley Park,” by one of the original World War 
II codebreakers. 


It was Adi Shamir who came to the rescue. Shamir had 
been studying Ralph Merkle’s knapsack scheme for public 
key cryptography. And now, several weeks before the 
conference, he thought he had broken it, at least the 
weaker variation of the system known as the single- 
iteration knapsack. In the days following his announcement, 
others figured out a way to use his techniques—which 
themselves were based on mathematical innovations 
discovered by Hendrick Lenstra—to launch wider attacks. 
Diffie’s panel would be the ideal time to test these ideas. So 
by the time the cryptographers met in Santa Barbara that 
summer, Diffie’s program was filled with would-be assaults 
on knapsacks. 


The most interesting one would be Len Adleman’s. He not 
only had come up with a variation on Shamir’s ideas, but 
had also actually programmed the technique on his Apple II 
personal computer. The cryptographers in Santa Barbara 
decided to try a little experiment. During the first night of 


the conference, a gauntlet was tossed to Adleman—an 
encrypted knapsack message. Could he use his little 
machine to decode it? (If so, he would presumably collect 
the $100 reward Merkle had offered some years earlier.) 
The answer would come a couple of days later, right there 
in Diffie’s session, when Adleman’s attack would either 
bring him new glory—or leave him mortified in front of his 
crypto contemporaries. 


Adleman was scheduled to speak last. “The hour passed,” 
Diffie later recounted. “Various techniques for attacking 
knapsack systems with different characteristics were 
heard; and the Apple II sat on the table waiting to reveal 
the results of its labors.” When Adleman came forward to 
speak, he appeared anything but confident. He said he’d 
give “the theory first, the public humiliation later.” (He 
subsequently would explain that the humiliation he referred 
to was not Merkle’s but his own, if “the numbers didn’t turn 
out right.”) Then he proceeded with a description of his 
methods. While he talked, Carl Nicolai (the inventor whose 
crypto device had been temporarily suppressed by an NSA 
secrecy order in 1978), fiddled with the Apple II, which had 
been working away for the past few days, using Adleman’s 
formula to crack the encrypted message. Before long, 
Nicolai began painstakingly copying a screenful of numbers 
from the Apple’s monitor onto an overhead-projector 
transparency sheet. 


Finally, Adleman finished describing how his attack 
worked. It was time to see whether it worked. Nicolai gave 
the transparency to Adleman, who handed it to Adi Shamir. 
He also gave Shamir the sealed envelope with the 
numerical message encrypted earlier in the conference. 
Shamir placed the sheets side by side in the overhead, 
beaming the results on the screen. They matched precisely. 


Diffie would later write that “the public humiliation was 
not Adleman’s—it was the knapsack’s.” Indeed, this crack 
was the penultimate blow in what would turn out to be the 
utter destruction of the groundbreaking, clever, yet 
ultimately useless Merkle knapsack public key 
cryptosystem. The coup de grace was instigated by Merkle 
himself. Paying the $100 to Adleman had not been 
particularly traumatic; Merkle had half expected someone 
to break the single-iteration knapsack scheme, which was 
the much weaker cousin of the real thing, the multiple- 
iteration version. In fact, Merkle felt secure enough to cast 
another challenge. In November of that year, he wrote a 
letter to Time magazine, offering $1000 to the first intrepid 
cryptanalyst who successfully decoded a multiple-iteration 
knapsack. Two years later, Merkle had to write a check for a 
cool grand to a researcher from Sandia National 
Laboratory named Ernie Brickell, who used a government 
Cray supercomputer to rip open a 40-iteration knapsack. 
When later asked what the problem was with the knapsack 
scheme, Merkle was succinct: “It didn’t work.” 


The significance of the knapsack attacks went far beyond 
the destruction of Merkle’s system. In fact, the moment at 
which Len Adleman’s Apple publicly destroyed a potentially 
valuable cryptosystem could be seen as a symbolic turning 
point in the still uneasy balance between the NSA-affiliated 
crypto spooks and the swelling ranks of outsiders who 
independently studied the protocols of crypto and routinely 
published their results. It was now clear that simply by 
sending scientists to a conference and subscribing to a few 
journals, a foreign government could get the kind of 
training in cryptology that was previously limited only to a 
sanctioned elite. It meant that codebreakers everywhere 
would be more resourceful. Only months before, 
government critic George Davida had mocked the NSA’s 
calls for prepublication review by asserting that the 


agency’s biggest worry—that the outsiders would circulate 
codebreaking methods—was ridiculous. “Researchers do 
not engage in cryptanalysis,” he wrote. But clearly, they did. 


Some at the NSA understood the threat that an 
independent crypto community represented: one of them 
approached Diffie and glumly observed, “It’s not that we 
haven’t seen this territory before, but you are covering it 
very quickly.” 


The only thing worse for the NSA would be watching the 
work of these academic cryptographers put to practical 
use. If an industry could be built on selling cryptography, 
and masses of people started using coding technologies, 
then the clear unencrypted signals intercepted by the 
NSA’s listening devices—whether cell phone calls or 
computer e-mail and files—would change to a dense white 
noise, a chaotic fugue that the agency’s computers might, 
with some effort, decipher. Or might not. 


Could crypto be commercialized? Although the common use 
of personal computers, and, later, the Internet, demanded a 
way to protect information and verify who was sending it, 
the means of getting there was at best a rutted path. The 
bumps and potholes in that road are best illustrated by the 
fortunes (or lack of them) of the company founded by Ron 
Rivest, Adi Shamir, and Len Adleman. As with their 
landmark algorithm, the firm bore their initials. But while 
the RSA algorithm quickly reached an enthusiastic 
audience, the trajectory of their commercial operation 
initially threatened to resemble a busted missile launch. 


In fact, despite the rosy predictions of a crypto 
Renaissance in the seminal Diffie-Hellman and Rivest- 
Shamir-Adleman papers, there was little reason in the early 
1980s to believe that serious bucks would ever be earned 


with the technology. Who would get venture capital to 
manufacture crypto products? How would those products 
be built into systems so that one could reasonably be 
assured that a scrambled document could actually be 
unscrambled by its recipient, or that the person receiving a 
digital signature would have the wherewithal to verify it? 
Nobody knew whether actual paying customers would be 
willing to put up with the difficulties that would come with 
having their computers crunch huge numbers for 
encryption and authentication. In fact, nobody knew if a 
substantial enough set of customers existed who were 
willing to pay for those things at all. “Some people said our 
stuff might turn out to be useful, but it wasn’t clear whether 
this would turn out to be successful in a commercial sense,” 
says Rivest. 


Still, the universities that had employed the crypto 
researchers hedged their bets by patenting their public key 
breakthroughs. In December 1977, MIT filed for its patent 
on the RSA algorithm. Ironically, the very act of filing for a 
patent made crypto’s widespread adoption potentially less 
likely. There was a definite Catch-22 aspect to claiming 
crypto as intellectual property: if algorithms were patented, 
then they could be used only by those who licensed them 
from the owners (presumably for a fee). But such tariffs 
might create a disincentive to universal adoption. If crypto 
was to be useful on a large scale, it stood to reason that 
everyone had to be using the same system, a convergence 
that would come about much more quickly if the system was 
free. It was a classic example of the Network Effect, a 
positive feedback loop in which value comes only with 
ubiquity. If everyone wasn’t using the same algorithms, 
then communicating with others in secret would be 
infinitely more difficult. It would be as if Bob had to worry 
about what brand of phone Alice used before he could ring 
her up. 


Not that this bothered the institutions that helped 
subsidize the public key research. While MIT had only the 
RSA system as its intellectual property, Stanford actually 
pursued a number of patents, ranging from a general claim 
for public key crypto to more specific implementations, 
including the Diffie-Hellman key exchange protocol and 
Merkle’s knapsack scheme. 


But the benefits of holding patents would be limited. For 
one thing, the largest current market for crypto—the 
government—didn’t have to pay to exploit either the 
Stanford or the MIT work. Both sets of cryptographers had 
enjoyed the support of the National Science Foundation, 
and the fruits of such subsidized research were, by law, 
available without charge, in perpetuity, to any and all 
federal agencies. And if that weren’t enough of a handicap, 
it turned out that both the Stanford and the RSA patents 
were valid only in the United States. In the case of both 
breakthroughs, the researchers had presented their 
findings before actually applying for the patent, an innocent 
mistake that didn’t affect their patent rights in the States 
but that did (because of the way patents are treated 
abroad) disqualify them from such protection in Europe. 


Still, once the patent filings were under way, it became 
clear to Rivest, Shamir, and Adleman that they still had the 
inside track on exploiting those patents. MIT was known to 
be generous in licensing its intellectual properties to the 
people who actually created them. (Any other stance would 
have risked a faculty revolt.) But the trio faced a unique 
situation: their crypto scheme had the potential to be a 
worldwide standard for privacy and commerce, but so far, 
the only thriving commerce in the field was in the realm of 
defense contractors and the relatively new market for DES- 
based products for financial institutions. In any case, none 
of the three researchers had any business experience. 


Nonetheless, they decided to forge ahead, hoping to 
transform their mathematical breakthroughs into 
something that actual human beings could use to 
communicate. Their hopes were high, and at least one of 
them thought that a payoff was around the corner. Len 
Adleman splurged on a flashy red Toyota. “It cost three or 
four thousand bucks, a big investment since I was making, 
like, thirteen thousand a year,” he says. “But I thought I 
would soon have money to throw away.” 


One of the problems in the late 1970s was that the most 
common general-purpose computers were too weak to 
generate good RSA encryption. In order to efficiently 
perform the calculations required to generate primes for a 
key and do all the mathematics required in encryption, 
decryption, and authentication, the MIT professors 
essentially would have to build a little computer-within-a- 
computer (on a circuit board loaded with specially designed 
chips) dedicated to those tasks. Rivest, aided by his 
colleagues, began working on such a device. After months 
of work they came up with hardware that could crunch two 
50-digit primes in less than a second. 


Then reality sank in. There was no way that these 
relatively expensive circuit boards could become a mass- 
market product. It was absurd to assume that millions of 
people would pay several hundred dollars to install a 
complicated circuit board inside their computers in order to 
participate in a revolution that they hardly understood. 


So in 1981, the MIT trio came up with a more plausible 
scenario. They would put the RSA algorithm on a chip. 
Semiconductor chips could be mass-produced, and when 
millions of them were churned out, their costs shrank. You 
could even put tiny chips on credit-card-sized “smart cards” 
for people to carry around. 


The timing seemed right. Just a few years earlier, when 
IBM used its vast resources to make history by putting DES 
on a chip, it had been inconceivable that a few academics 
could attempt such a feat without a passel of deep-pocketed 
investors. Back then, such a feat would have been about as 
unlikely as a few grad students in some random 
engineering department deciding to launch a rocket to the 
moon. But in the interim, a Caltech professor named Carver 
Mead had changed all that. Mead, a veteran of the Silicon 
Valley semiconductor industry, was the guru of Very Large 
Scale Integration (VLSI), a technology that shrank what 
was once a huge computing machine into a thumbnail-size 
silicon chip. Eager to encourage research in the field, Mead 
had not only published a book on the subject, but helped set 
up a fabrication facility—known as a fab—to help academics 
actually build their own chips. At the time MIT was gearing 
up its own VLSI program, and Rivest signed up to run an 
experimental project that would result in getting the entire 
RSA process on one of those tiny chips. 


Meanwhile, they continued what had become an ongoing, 
if unintentionally comedic, effort to interest a big business 
mogul—any mogul—in the world of cryptography. As math 
nerds unschooled in the niceties of venture capital and 
unsuited for poker-faced negotiations, they were at the 
mercy of any random suit they hooked up with. But 
sometimes they lucked out and met someone who actually 
connected with the religion of it all. One such fellow was Pat 
Cremen, a loquacious Irishman who worked for the big 
Ericsson electronics firm. But he, too, was more of a vision 
seeker than a deal cutter. After examining the MIT crew’s 
algorithms, he broke into rhapsodies about the coming age 
of electronic wallets and virtual money. Rivest and his 
colleagues were transfixed by that vision, and probably 
wound up mentally counting the megabucks that would fill 
their own digital wallets when this new world came into 


being. They traveled to Dublin to pursue the idea. While the 
mutual admiration society was morale building, it turned 
out to be nothing more than that. Cremen ultimately failed 
to convince his bosses at Ericsson to put up the bucks. 


Maybe the bosses were right. There is a telling anecdote 
from this period. To implement RSA on a chip, the MIT 
scientists found themselves on the cutting edge of VLSI chip 
design. They had to invent their own tools, which potentially 
became valuable intellectual property in and of themselves, 
stuff that corporations and foreign spies might covet. For 
instance, in order to keep track of the hundreds of 
thousands of logic gates and transistors on the chip design, 
Rivest wound up writing elaborate chip-simulation software 
to organize the project. His program made things much 
easier when negotiating the chaos the scientists were 
generating on the fifth floor of Tech Square—when they 
would spread out huge layouts of the chip, parts of which 
Adleman had designed, parts of which Rivest had modeled, 
and other pieces that Shamir had created—wondering 
where this wire went or what that transistor did. So much 
easier, in fact, that it began to dawn on the trio that the 
software they were using to create the chip might have as 
much commercial or military value as the RSA algorithm 
itself. 


By creating this valuable technical property, they found 
themselves in the situation in which they imagined their 
future customers might one day be: possessing secrets 
worth protecting and in need of a system to protect it. So 
one night they sat down together and wondered whether 
they should protect all their precious ideas... by 
encrypting them. Did these pioneers of cryptography 
indeed use their own system to protect their ideas? “I 
remember our decision was, ‘Naaah, it’s too much trouble,’ 
” says Adleman. “Too much work to encrypt it. And we 


never did.” The irony was lost on them. But the reality was 
they were harboring big-time hopes for a technology that 
even its inventors considered a pain in the ass to use! 


They all thought that Rivest’s chip-simulation system was 
a masterpiece. “We didn’t just throw this thing together 
and hope that a hundred thousand things were going to 
work out,” says Adleman. “Ron’s software simulated the 
chip according to Mead’s rules.” Because the simulation 
was sound, boasts Adleman, “we knew the chip would 
work.” 


But when they tested the actual chip, it didn’t work. 
Instead of crunching primes and other stuff, it did nothing. 
Adleman blames the failure on their overreliance on Carver 
Mead’s publications. “The rules in his book weren’t 
complete,” he says. But in fairness to Mead—who in any 
case wasn’t working for the MIT trio—the RSA project was 
larger than any he had contemplated to date. While other 
researchers were creating little baby projects like chips 
that would operate streetlights, the MIT people were using 
advanced mathematical algorithms, with huge prime 
numbers and zillions of calculations, to choose keys, encrypt 
text, decipher scrambled missives, process public keys, and 
sign messages with digital signatures. So much was going 
on that the silicon “wires” in the chip were, by standards of 
microtechnology, extremely long, sort of nano-equivalents of 
transatlantic cable. This made it all too easy to place those 
silicon microthreads too close to each other, causing deadly 
“crosstalk” that would flip bits and ruin the calculations. 
That’s not what you want when performing precision math. 


“Tt had simulated perfectly.” Rivest sighs. “But the 
fabrication process didn’t return working chips. It probably 
just needed some little tweak in the processor design.” In 
other words, though the experiment was a technical failure, 


Rivest was confident that the system could ultimately work. 
Still, the failure to produce a working prototype was not a 
great selling point. 


Nonetheless the three scientists persisted. In 1983, they 
formally joined the world of commerce by creating RSA 
Data Security, Incorporated (they had originally hoped to 
call it simply “RSA,” but that was the name of a garbage 
collection company in Maine). There was no product, no 
customers, and no evidence of demand. And not even their 
dreams at that point flirted with the possibility that one day 
hundreds of millions of people would use their new 
company’s technology on a daily basis. 


By that point, Len Adleman was getting fed up with the 
whole process. He felt that he was getting further away 
from where his talents lay, in theoretical math. All the 
intellectual effort expended in squeezing formulas into 
silicon, he thought, might be better spent trying to discover 
Fermat’s last theorem or some similarly epochal challenge. 
Still, he hung in, hoping that if he and his colleagues could 
get their new company on a solid commercial footing, they 
would cash in. Then Adleman, at least, could return to his 
vocation, gleefully covering white-boards with intricate 
equations that had no discernable practical application. 


As mathematicians, they knew that the principle of 
Occam’s razor applied: the shortest solution to the problem 
was a Straight line. But in this real-world puzzler of making 
a business succeed, there were endless detours in getting 
to point B. “We were clueless on this stuff,” says Adleman. 
Their first CEO was the reluctant Adleman himself, a man 
whose head was clearest when among the clouds. “At 
various times I was the prime mover; other times it was 
Ron,” he says now. (Adi Shamir, in the process of moving 
back to Israel to work at the Weizmann Institute, wasn’t as 


active.) Adleman naively figured that he’d handle this 
moonlighting lark in the spare moments left over from his 
new post as an associate math professor at the University of 
Southern California. 


They did understand they needed someone with 
experience to advise them. Somehow, they hooked up with a 
business consultant named Ted Izen, who was able to 
concoct one thing that the three brilliant MIT professors 
collectively had not managed to produce: a business plan. 
They also looked to Izen to come up with investors—fast. 
After months of delay and revision, the government was 
expected to finally grant MIT the patent for the RSA work. 
The Stanford patents had already been granted; on April 
29, 1980, U.S. Patent 4,200,770, “Cryptographic Apparatus 
and Method,” credited Diffie, Hellman, and Merkle as the 
inventors of public key cryptography. And on August 19 of 
that year came another Stanford patent, for the work of 
Hellman and Merkle. Called “Public Key Cryptographic 
Apparatus and Method,” it specifically dealt with knapsacks 
but more broadly claimed to cover any implementation of 
the public key idea. 


The impending MIT patent built upon those Stanford 
patents to cover the RSA algorithm. If the new company 
was to succeed, it required the exclusive rights to that 
innovation; otherwise, more established competitors could 
simply license the RSA work from MIT and blow away the 
company formed by the actual R, S, and A. Here’s where 
MIT’s generosity kicked in. The university agreed to grant 
Rivest, Adleman, and Shamir the exclusive rights to their 
invention. For a price—$150,000. (Generosity goes only so 
far.) Where would these young math professors find that 
kind of cash? 


Izen delivered the answer: a Reno, Nevada, physician and 
businessman named Jack Kelly. He had a company called 
Sierra Microsystems in Lake Tahoe that designed chips and 
which could be a potential business partner for this new 
company. One day Kelly flew his private plane to Burbank to 
meet with the RSA trio. For the researchers, the easy part 
turned out to be convincing him that in an emerging 
information age, a technology like RSA’s was going to be 
absolutely pivotal. The harder part was forging a deal that 
the novice entrepreneurs would feel good about in the 
morning. Adleman later came to view the experience ata 
philosophical distance. “He was an experienced 
businessman, and I was an inexperienced businessman,” he 
says. “And when that combination gets together, it is often 
the case that the inexperienced businessman gets some 
experience.” 


Nonetheless, Kelly provided the requisite six-figure sum— 
$225,000—that RSA Data Security needed to survive. And 
so, when, in September 1983, MIT was granted U.S. Patent 
4,405,829, entitled “Cryptographic Communications 
System and Method,” its inventors were ready. Nine days 
later the fledgling company paid MIT the $150,000 (plus 5 
percent of all its future revenues) for exclusive rights to the 
patent. 


With a real investment and control of its intellectual 
property, it was time to begin behaving like a business, 
creating and selling uncrackable cryptographic tools to 
anyone with a computer. With the remainder of Kelly’s 
investment, they set up an office in Silicon Valley and hired 
a professional manager to run the company. His name was 
Ralph Bennett. He had an impressive résumé—he’d worked 
at respectable companies like Fairchild Semiconductors— 
and from the point of view of the MIT professors, this fifty- 


something businessman seemed as good as anyone else 
around. 


With Bennett’s help, the company began gathering a 
workforce, including a sharp young marketer named Bart 
O’Brien. Even to an academic like Len Adleman, O’Brien, 
who had worked for a Florida high-tech company called 
Paradyne, was impressive. He was a slick dresser and an 
aggressive salesman who dreamed of running his own 
business. One day Adleman accompanied O’Brien on a sales 
call and was dazzled at the deft manner with which O’Brien 
parried the potential customer’s objections. 


Having deemed the RSA-on-a-chip scheme too 
complicated, the team’s first product was to be a software 
program mainly used to encrypt e-mail and stored data on 
personal computers. It would be called Mailsafe, a public 
key cryptosystem that would run on the most popular 
business personal computer, the IBM PC, and its clones. 
Adleman worked on the algorithms and Rivest concentrated 
on the implementation. Though Adleman did not find the 
work as intellectually thrilling as pure theory, he was 
engaged by the challenge of the alchemy of commercial 
programming, discovering tricks to make the math routines 
run more efficiently. 


Since both professors were working in their spare time, 
Mailsafe turned out to be a long project. During the 
development period, of course, RSA Data Security had no 
revenues. And Kelly’s investment was just about dried up. 
The situation became increasingly desperate. In theory, the 
company could get income from outside investors or 
advances paid on licensing deals. But under Ralph Bennett, 
not much of that was happening. Some of the people 
involved with the company would later claim that Bennett 
didn’t understand the nature of high-tech start-ups, and he 


wasn’t ideally prepared to evangelize the groundbreaking 
area of cryptography. In any case, the state of the young 
enterprise was, to say the least, precarious when Bart 
O’Brien called upon an old Paradyne friend of his named 
Jim Bidzos to help out with sales for RSA. 


At the time, it seemed like just one more random call. But 
the entrance of Jim Bidzos not only changed the future of 
the company, but the technology itself. Crypto had found its 
first supersalesman. And the repercussions would ripple 
from Silicon Valley to Fort Meade. 


Jim Bidzos was an unlikely savior for public key 
cryptography. The closest he came to processing algorithms 
was figuring out backgammon odds in the high-stakes Las 
Vegas tournaments he liked to frequent. Bidzos was then 
thirty-one, a Greek national born on February 20, 1955, ina 
mountainous region near the Albanian border: “A very, very 
small village in the middle of nowhere, no roads, maybe 
seventy people,” he says. Bidzos’s family had been there for 
ages; his father had taken a bride from a neighboring 
village in an arranged marriage. Bidzos was the second of 
four children, born in a small stone house. In the late 
1950s, his father left Greece to do what Bidzos calls “the 
classic immigrant thing: he didn’t speak the language, had 
no training, no education, no skills, but he joined some 
people from the village who had gone to Ohio.” About two 
years later, when Bidzos was five, he and his mother and 
siblings followed. 


Young Jim Bidzos took to America quickly. While his 
parents instilled some values from the old country in him, 
his iconoclastic nature seemed to fit the looser pace of 
American life. A naturally bright, though not particularly 


diligent, student, he breezed through school. He describes 
himself as a rebellious teenager: not necessarily a 
troublemaker but the kind of kid who made it a point to do 
precisely what he was told not to do. He wound up in the 
marines. After his military stint (though not as a U.S. 
citizen; he held, and still does, a Greek passport), Bidzos 
attended the University of Maryland. While he majored in 
business, he did take some courses in computer 
programming. He claims to have written one of the earliest 
computer viruses, “just to prove it could be done.” After a 
couple of years at Maryland, he took a job at IBM and never 
went back to school. 


In the early 1980s, he got a visit from a headhunter. 
Would he be interested in working for Paradyne, a Florida 
firm that made networking equipment for IBM mainframes? 
The position was in marketing, but technical skills were 
required to explain products to customers. Paradyne was a 
fairly buttoned-down company, with almost two football 
teams’ worth of vice presidents who had come over from 
IBM and had adopted some of the company’s uptight 
culture: the black shoes, the starched white shirts, the 
feeling that you’ve screwed the pooch if you’re the first one 
to leave on a given day. But Bidzos had learned how to play 
the corporate game. Indeed, he thrived at it, racking up a 
series of promotions. At Paradyne, he also learned how to 
use an expense account. During vacations he’d blow off 
steam: his passions included motorcycle racing, high-stakes 
backgammon, and women. His journals from the seventies 
are permeated with notations about this woman or that. 
Still in his late twenties, he was living a Hugh Hefner-esque 
bachelor existence. 


This status was endangered only once, by a young woman 
he began dating; Bidzos sensed that she might really be the 
one. The matter was brought to a head by a change in his 


job situation. Bidzos had been getting bored at Paradyne. 
The white-shirt culture was making him nuts; he wanted to 
be in a less structured, more freewheeling environment, 
with high risks and rewards. To strike out on his own. But 
when he finally cut the cord at Paradyne and began a global 
marketing firm with some friends, his girlfriend uttered the 
words every confirmed bachelor dreaded: it’s now or never. 
She felt that if they didn’t marry, this new venture would 
take him away. Ever the deal maker, Bidzos chafed at being 
handed an ultimatum. It would be submitting to her terms. 
He would never get married under pressure, even to a 
woman he loved. So it was over. 


His girlfriend had been right about the lifestyle: his new 
job selling high-tech equipment to international customers 
and his own services to clients was all-consuming. Almost 
every month he’d go to Europe or the Far East—some 
months he’d hit both continents, a global ricochet—staying 
in the best hotels, dining in the best restaurants, choosing 
the priciest wines, and doing the deal, always doing the 
deal. Then he hit a wall. Was this to be his life—on the road 
all the time, looking for the next client? He began to ponder 
his lost love affair. He quit the company and began working 
on freelance marketing projects. If he needed a few bucks, 
something would come up. He was bored with Florida by 
this time and wanted to move to California. A firm for whom 
he’d sold IBM-compatible computer terminals offered him a 
job that would take him west, but he wasn’t interested. The 
president of the small company came back with a 
counteroffer. “I know you want to come here,” he said, “and 
I know you like my receptionist, so if you come and work for 
me two days a week, I'll pay for the move—just give me six 
months.” 


The guy had pegged Bidzos right—he did like the 
receptionist—so he was in California by August 1985. Then 


he got in touch with his friend Bart O’Brien at RSA Data 
Security. 


O’Brien had mentioned RSA to Bidzos back in May, had 
even FedExed him a business plan. But Bidzos, who’d been 
about to leave on a five-week trip to Europe, couldn’t make 
any sense of it. He’d forgotten about it in the excitement of 
his travels. When he returned to his Florida apartment 
there were a few more envelopes waiting for him, all of 
which contained new and different RSA business plans, 
which apparently reversed course quicker than a 
backgammon game. Obviously, this strange new company 
was a work in progress. 


But O’Brien kept pushing. He invited Bidzos to stop in 
San Francisco on his way back from a trip to the Far East. 
Bidzos had barely arrived when O’Brien immediately 
embarked on a business trip of his own, leaving Bidzos with 
the keys to his apartment and car and a mandate to stay for 
a week and have some fun. Naturally, Bidzos took to 
Baghdad by the Bay, and began to make frequent return 
visits. O’Brien used these opportunities to ask for advice on 
RSA‘s revolving business plans, and to solicit ideas on 
raising money. “You should come here to work,” O’Brien 
kept saying. 


Bidzos wasn’t quite ready for that, but he began to spend 
more time doing freelance projects for RSA, writing up a 
marketing plan and studying the possibilities of selling the 
entire system to IBM. The more he learned about the 
company’s mysterious product, the more intrigued he got. 
Despite being a motorcycle-racing, woman-chasing, wine- 
quaffing, high-risk gambler, Bidzos also had an intellectual 
streak, and he got a huge kick out of hanging out with the 
engineers, and particularly the cryptographers. 


One amazing night in late 1985, he met the most brilliant 
guy of all: Whit Diffie. Bidzos joined a group of RSA people 
treating Diffie to dinner at a Mexican restaurant at the 
Stanford Mall. The company had long been urging the 
public key inventor to become its chief scientist (at one 
point Diffie had even accepted, but wound up holding off 
until the company got more funding). The group included 
O’Brien, Ralph Bennett, and Al Alcorn, who’d been a key 
figure in the early days of Atari and Apple; RSA had been 
wooing him to join the company as well. Bidzos was dazzled 
at the conversational interplay between the brainy Alcorn 
and the enigmatic Diffie. After some cursory discussion 
about RSA’s future, the two minds just sort of hooked up 
and Bidzos grooved on the conversation like an uptown 
hipster wanna-be who’d sneaked into a secret jam session 
between Miles and Trane. 


As the group broke up, Bidzos asked Diffie if he might be 
available for lunch sometime to talk more. “I’m always 
available for lunch,” said Diffie. Over the next few months— 
years, really—Bidzos would take Diffie out for meals in Palo 
Alto and Berkeley for what was essentially a roaming 
tutorial in cryptography, public key, privacy, and politics. He 
eventually became quite knowledgeable on crypto’s fine 
points. On the other hand, Ralph Bennett—at least as far as 
Bidzos could tell—didn’t seem to be as charmed by Diffie. 
And vice versa. Bidzos recalls one lunch with the three of 
them at which Diffie began eyeing Bennett’s ham-and- 
cheese croissant sandwich. The stare was so intense that 
Bidzos was sure that Diffie was about to lunge at the food. 
Bennett must have noticed, too, because he offered Diffie a 
piece. Diffie declined, but kept staring at it. Suddenly, the 
long-haired, bearded cryptographer pulled out a large knife 
he’d been carrying, pulled the plate toward him, and 
whacked off half the sandwich. Then he calmly ate it. God 


knows what Bennett thought about that. But it obviously 
wasn’t a bonding moment. 


Bidzos soon realized that this little company trying to sell 
a crazy product to scramble computer data was in huge 
trouble. They had yet to ship a product or even license an 
algorithm. Operating expenses were murderous. The rent 
alone was a huge burden. O’Brien, ever the optimist, had 
rented the company a huge space in Redwood City near the 
Bay, just across from Oracle. It was the size of a soccer field, 
even though layoffs had left fewer than five employees. 


There was another potential land mine waiting to 
explode. It involved a loan from an investment banking 
operation run by two guys in New York. One was an Italian 
named Vinnie, who spoke with a profusion of disses and 
dats. His associate was a more soft-spoken Jewish fellow 
named Steve. They liked to hold meetings at Kaplan’s Deli 
in New York City. Though everything was on the up-and-up 
with these two, they still seemed like escapees from an 
Elmore Leonard novel. 


Drawing upon a list of about fifty investors (including, 
Bidzos says, dozens of New York doctors, dentists, and the 
comedian David Brenner), they had loaned RSA half a 
million dollars in December 1985. But RSA Data Security 
went through the money like a sugar-toothed eight-year-old 
gobbling Halloween candy. The $500,000 had barely been 
counted before it was almost gone, drained by accrued 
salaries, debt, and a bridge loan to cover operating 
expenses. The company was going bust. 


If that wasn’t enough to worry about, Bidzos then learned 
that Ralph Bennett, a Scientologist, had indicated that he 
might transfer his own considerable shares in the company 
to that organization. This would have made the Church of 


Scientology one of the biggest shareholders in the company 
—and the keeper of modern cryptography. 


Oddly, one thing that was not considered a problem at the 
time was the possibility that RSA, by launching a new and 
powerful form of cryptography into the growing ether of 
computer communications, might alienate the National 
Security Agency, or provoke a response from law 
enforcement agencies that felt threatened by the advent of 
cryptography. “Bart and Ralph understood the NSA had an 
interest in this sort of thing,” says Bidzos. “But they saw the 
agency as a potential customer.” As far as the visible lack of 
interest from the NSA itself—no queries or threats had 
emerged from behind the Triple Fence—Bidzos came to 
believe (correctly, as it turned out) that the spooks had 
figured that the smartest course of action would be to leave 
RSA alone... because the company almost certainly was 
falling apart on its own. 


“Bart was just lost and didn’t know what was happening,” 
says Bidzos. “He’s an optimist and a very enthusiastic 
fellow, and he was going to do a $10 million deal with every 
computer company in the world. But there were no 
prospects of making money anywhere.” Even so, drawn by 
the big-idea-ness of it all, Bidzos found himself more and 
more interested. In mid-January 1986, he agreed to 
accompany O’Brien to Boston to brainstorm with Rivest 
about the company’s problems. They flew on People 
Express, a discount airline with all the frills of a Greyhound 
Bus route on the Texas plains. The night before the meeting 
he and O’Brien went over the numbers, which looked 
bleaker than ever. It appeared that the flag bearer for 
public key cryptography might die without ever even 
raising the damn flag. Some revolution. 


In Rivest’s office the next day, Bidzos laid out the whole 
mess, scrawling the specifics on his blackboard. At first 
Rivest’s attitude was . . . professorial. After hearing the bad 
news, he sighed and said, “Oh, gee, Id really hoped it 
would do well.” Bidzos tried to tell him that he simply 
wasn’t getting it. RSA’s failure wasn’t analogous to not 
winning some academic honor. There were consequences. 
When you take money from people, there’s a different kind 
of accountability. They all could be sued. Finally, as Rivest 
began to get the picture, he began to flip out. 


Then they got Adleman on the phone in Southern 
California. After hearing how dire the circumstances were, 
the mathematician once again realized why it was so much 
more pleasant dealing with theoretical problems in number 
space. So he decided to make his involvement theoretical. “I 
resign from the board of directors,” he said, and hung up. 


Years later, Adleman was philosophical about his role. “A 
large part of why the company wasn’t working was me,” he 
said. “In the beginning, RSA was a nonentity; it existed on 
paper but didn’t really exist. Somebody had to pick up the 
ball, and there was good news and bad news in my picking 
it up. If I hadn’t, the technology would have been picked up 
by someone else, and the patents would have gone to 
someone else. But while I gave birth to RSA to a certain 
extent, I didn’t do a good enough job to get a baby out that 
didn’t have some serious defects.” 


After O’Brien and Bidzos returned to California, they 
hired a management consultant who worked with them to 
try to find a way through the mess. As the meetings 
progressed, the consultant commented that Bidzos’s ideas 
seemed both inventive and practical. A crazy idea crossed 
Bidzos’s mind: maybe he should be running things. 


Even now, Bidzos cannot come up with a coherent sense 
of the reasoning that led him to join the endangered 
company full time as the instrument of its salvation. Indeed, 
in the months to come, trying to unravel the ongoing crisis 
late at night before the computer screen, he would often 
ask himself: Am I really here? I could be in a first-class 
cabin, flying to Paris to drink bordeaux at the Tour d’Argent 
with sweet Dominique! Yes, there was the opportunity to 
finally run a business. Yes, there was the excitement of a 
new technology. And yes, there was the lure of San 
Francisco with its women, its restaurants, its hot-tub 
parties in Tiburon. But it still really didn’t make sense. 
Though he went through the motions of figuring out how he 
might personally avoid the consequences if everything 
wound up in a horrid thicket of lawsuits and recriminations, 
deep down, he understood that he was involving himself in 
a potential train wreck. 


For a while, he maintained to himself that his role was 
only temporary—he would help the company secure some 
funding, hire a new leader, and eventually collect some 
stock for his labors. Then he’d be on his way. But by the end 
of March, everybody else on the payroll had left or been 
cleared out. (Bennett technically didn’t leave until mid- 
August, after some tough negotiations that led to a buyout 
and, incidentally, the end of a possible relationship between 
RSA and the Church of Scientology.) It was Good Friday, but 
Bidzos called it Black Friday. He went out to dinner that 
night with Rivest and Bennett, and officially took the title of 
vice president of sales and marketing. Later on, he realized 
that since he was the only official there, he might as well 
call himself the president. 


His chief concern was the financial crisis. Some bills 
simply could not be paid. And, of course, no money was 
coming in. He called debtors and negotiated. “You call a law 


firm and tell them the company’s winding down—we owe 
you $175,000 and we’ve got $10,000 to give you,” says 
Bidzos. And they'd settle for the cash! Meanwhile, he set off 
to keep Vinnie and Steve happy. Fortunately, he had a good 
relationship with them. One day at Kaplan’s Deli, Bidzos 
was Signing the credit-card bill for the meal, and he 
mistakenly underpaid, writing a three instead of an eight. 
The waitress went ballistic, calling him a cheater. Bidzos 
was mortified. But Vinnie and Steve beamed. “We like that,” 
they joked. 


Affection aside, Vinnie and Steve had to think of their 
investors, and a lawsuit against RSA was still a possibility. 
They decided to get the opinion of a respected outsider, a 
guy whom they called “the Wizard of Wall Street.” He was a 
no-nonsense cigar smoker who cut to the chase when 
Bidzos was brought to meet him. “What’s the story?” he 
asked. Bidzos drew on his own cigar and launched into a 
spiel about the brilliant young MIT geniuses who figured 
out a way to secure computer data and enable commerce in 
the next century. The wizard was impressed, and Vinnie and 
Steve decided to keep the faith. 


The process that would truly save RSA, however, would 
be convincing large companies that they needed crypto, 
and then selling them the technology. While the encryption 
software program Mailsafe was getting closer to a finished 
version (it would finally ship in July), the current business 
plan assumed that it would not be software sales but 
licensing fees that brought in the bulk of RSA’s revenues. 
Before leaving the company, Bart O’Brien had compiled a 
list of about thirty potential large customers, and Bidzos 
went through it. Discussions with AT&T, which O’Brien had 
figured for a $10 million contract, had stalled. Bidzos kept 
taking meetings, seeing executives at IBM, DEC, and Xerox. 
But that first major contract seemed frustratingly elusive, a 


siren just out of reach. If RSA didn’t rope in a big score, all 
of Bidzos’s efforts would be wasted. The debts would be 
due, and the lawsuits would follow. Then the MIT patent, 
the crown jewel of the company, would be auctioned off for 
peanuts. He needed money now. But who would buy first? 
Would anyone bite? 


One potential savior stood out—a small software company 
called Iris Associates that was funded by the spreadsheet 
giant Lotus Development Corp. Iris’s product, called Notes, 
was the first example of a new software category called 
groupware, a program meant to be used by dozens or even 
thousands of people over a network. Notes was an ideal 
candidate for a built-in encryption system since it assumed 
that users would electronically exchange virtually all their 
messages, even ones involving the most confidential 
corporate secrets. Without a means of securing that 
information against eavesdroppers, Lotus’s potential 
customers—major corporations whose data were worth 
zillions—would be unlikely to purchase Notes. 


No one understood this better than the inventor of Notes. 
Ray Ozzie was one of those double-threat computer 
geniuses who not only could code their way out of a trunk 
loaded with rocks dropped into the middle of the ocean, but 
were equally visionary in the analog world, with an 
instinctive sense of the marketplace. He began his career at 
Data General, the minicomputer company, but when he saw 
the IBM PC microcomputer he realized that the future lay 
in these personal devices. So he moved to what was then 
one of the biggest PC software companies, Software Arts, 
creator of the original spreadsheet, VisiCalc. But in his head 
Ozzie was thinking about what could happen when all these 
personal computers got networked together. He felt that 
IBM itself would eventually get into the business of writing 
software for that world, but in the meantime there was a 


total vacuum—one that he hoped to fill with a program of 
his own design. That was Notes, and he founded Iris 
Associates to produce the program. But he spent much of 
1982 unsuccessfully seeking start-up funding. 


In early 1983, he set out to pitch his vision to Mitch 
Kapor, the founder of Lotus, which had recently released a 
spreadsheet called 1-2-3 that immediately supplanted 
VisiCalc as the industry gold standard. Kapor’s main 
concern was finding a master software wizard to write 
Symphony, a multifunction program for Lotus, one that 
melded a spreadsheet, word processor, and database. So 
they made an agreement: if Ozzie would create Symphony 
for him, Kapor would fund Iris Associates to create Notes, 
and Lotus would distribute it. On the day Symphony 
shipped, in 1984, Kapor said, “Okay, Ray, do your thing.” 


Ozzie knew early on that security would be a key feature 
in Notes, and he looked forward to developing a technology 
to frustrate snoops and crooks. As a kid, he’d loved the TV 
show The Man from U.N.C.L.E. and played secret agent 
with his friends. That took a back-seat to electronics and, 
eventually, computer science, but he’d gotten excited when 
he read Martin Gardner’s article about RSA in 1977. So he 
suspected that his product might benefit from a public key 
cryptosystem. Coincidentally, in early 1984, not long before 
he finished Symphony, he came across an article in Dr. 
Dobb’s Journal (a sort of programming guide for granola- 
chomping hackers) with a FORTRAN source code for 
encrypting with RSA. “It was so cool,” he recalls. 


In 1984, though, the appearance of an early 
implementation of RSA in a computer hobbyist magazine 
was a symbol of public key’s status: although the advance 
had made a lot of noise in the academic community, no one 
had seriously considered using it in a software product. But 


Notes needed something like it. Ina memo Ozzie wrote 
about security issues, he identified the problem that his 
groupware product faced, both in protecting privacy and 
establishing authenticity: 


Mitch Kapor wants to send mail to Jim Manzi 
[Lotus’s second-in-command] about some 
(perhaps sensitive) subject. Mitch sends it to 
Jim. First, although this mail SAYS that it is from 
Mitch, has some hacker on the network “faked” 
the message and put it into Jim’s mailbox? How 
can he be sure that this mail is really from 
Mitch? Second, he realized that this message 
passed through several intermediate machines; 
did anyone “take a peek” at the message as it 
was on its way to Jim? 


Ozzie continued to describe the way a traditional computer 
security system would deal with the problem, that is, via a 
central authority that delivered passwords off-line, and 
became, essentially, a mandatory hub through which all 
traffic passed. This model was not only vulnerable in exactly 
the way that had made Whit Diffie so dissatisfied in the late 
1960s—if the central authority screwed up, turned crooked, 
or turned you in, the whole system failed—but its very spirit 
was locked into an age that was destined for the junk heap. 
That system was synced with the mainframe model of 
computing, where some huge hulking circuit-laden beast 
did all the crunching, flipping computations to dozens or 
hundreds of users like some giant robotic blackjack dealer. 
Ozzie saw Notes not only as a pioneering product but also 
as a seminal example of the networked future, where the 
masses would have their own computers and not have to 
check in with some massive digital Big Brother. Like the 


phone system, communications would be one-to-one, people 
communicating directly with their peers (as opposed to 
some now-antiquated models where communications were 
funneled through a central authority). “We believe that this 
is a bad approach,” wrote Ozzie of the central-authority 
model. “It changes the distributed nature of the network 
back into the old ‘centralized data’ approach of 
mainframes... . It also resurrects the problems with the 
‘traditional solution,’ that is, trust in people and/or 
mechanisms that are not completely understood.” 


The way to deliver security in the far-preferable 
decentralized manner was, of course, via public key. Diffie 
and Hellman’s landmark paper seemed almost to have 
Notes in mind when it outlined how Ozzie’s problems could 
be addressed. Through use of a “global phone book,” 
everybody in the organization would have access to 
everybody else’s public key. Public key provided a way that 
Notes users could not only send messages in complete 
privacy but could also make sure that the message wasn’t 
forged: 


Consider the aforementioned scenario where 
Mitch sends a message to Jim. .. . Mitch writes 
a memo. In Notes, it invokes a menu item called 
“Sign Message.” Notes uses Mitch’s private key 
and the message itself to attach to the original 
message a “Signature,” a code that uniquely 
identifies both Mitch and the actual contents of 
the message. Once the message is signed, Mitch 
invokes the “Send Message” menu item. The 
message then leaves Mitch’s PC, goes across 
the network, and ends up in Jim’s PC. Jim, 
receiving the message, reads it and wonders if 
Mitch really sent him this message. He invokes 


a menu item called “Verify Message” (this, of 
course, could have been done automatically). 
Notes now looks at the directory of users to find 
Mitch’s Public Key. Once found, Notes uses the 
message’s attached “Signature” and Mitch’s 
Public Key to do the verification. When Notes 
says “OK,” it is indicating that the message was 
indeed sent by Mitch and the message is in its 
original form and has not been modified 
between Mitch and Jim. 


Ozzie concluded that the only viable implementation of 
public key crypto was RSA. He needed a heavy-duty system. 
While the Dr. Dobb’s program was a fun hack, it was many 
magnitudes too slow to be used in a commercial program, 
let alone to be used to encrypt large messages. When Ozzie 
and his team got serious about encryption, they decided to 
go with a more sophisticated use of RSA: a hybrid system, 
using the public key method as a way for users securely to 
create symmetrical keys, which would be used to encrypt 
messages in a conventional cryptosystem. They figured the 
proper combo was RSA as a key-exchange algorithm and 
DES to actually scramble the message content. 


Around that time, Mitch Kapor got an unsolicited letter 
from Ron Rivest. J don’t know if you have any need for this, 
the letter went, but there’s this useful algorithm called 
RSA, and we have the exclusive rights. . . . 


“Do you know what this is?” Kapor asked Ozzie. 
“Oh, shit,” said Ozzie. “RSA is subject to licensing?” 


A meeting was arranged. On April 29, 1985, Bart O’Brien 
and Ron Rivest came to Iris. It was by far the most 
promising sales call in RSA company history. When O’Brien 


launched into his standard song and dance about the 
wonders of their system, Ozzie cut him off—the Iris people 
were already sold on the virtues of RSA. Discussion 
immediately switched to how the companies might work 
together. Ozzie was particularly excited at the prospect of 
having Rivest himself available for consultation: “Who can 
better verify an algorithm than its inventor?” he wrote in a 
memo. 


The main sticking point turned out to be money. When it 
came time to give actual figures, O’Brien, offering what he 
called “a first-guess estimate,” asked for the moon: $100 a 
unit for the first 15,000 customers (or “seats”) with a 
sliding downward scale that stopped at $50 a seat after the 
100,000th user. Ozzie told them those estimates were 
“tremendously out of line with reality.” After all, the 
wholesale price of the entire software package was to be 
only a couple of hundred dollars. Ozzie promised, though, 
that he’d discuss pricing with Lotus, which would ultimately 
be paying the licensing fees. But he knew that there was no 
way Lotus would ever pay that kind of money. 


Sometime during the discussion Bart O’Brien mentioned 
that Ozzie might want to check out whether including 
encryption in its product might affect overseas sales. Ozzie 
admitted that he’d never given any thought to the issue. 
Rivest and O’Brien suggested that he make contact with the 
National Security Agency on this, but first Iris or Lotus— 
whichever was going to export the product—should figure 
out a government strategy. “These are not people you want 
to deal with casually,” they told Ozzie. “You want to 
understand the endgame.” When the meeting was over, 
Ozzie quickly realized that no matter what system Notes 
used, this might be an issue, and in his memo he requested 
that Lotus’s lawyers look into how the export regulations 
might affect the product. 


The meeting ended amicably, but the sticking point 
remained: RSA’s outrageous asking price. On the other 
hand, the public key algorithms were perfect for Notes. 
“We knew technologically what we wanted—we’d already 
prototyped it,” says Ozzie. “I wasn’t going to put all my 
cards on the table at the first negotiation, but they could 
tell we were clearly excited.” But for a while it remained a 
stalemate. RSA regarded Lotus as one of many potential big 
scores, and Ozzie began what he saw as a sales job to 
Lotus, trying to get them to shell out for a reasonable 
license fee. 


By the time Jim Bidzos joined the talks, almost a year had 
passed since the initial contact between RSA and Ozzie, 
with little progress made. In fact, after making some 
tentative inquiries with the government, the Notes people 
had reason to second-guess the whole idea of licensing 
crypto: they’d been given hints that the National Security 
Agency would be less than pleased at the prospect ofa 
major software product with technology to scramble 
information that the supercomputers behind the Triple 
Fence could not easily read. But as soon as RSA’s new 
leader came in—this fast-talking thirty-one-year-old Greek 
who was obviously not a hacker, not from the Silicon Valley 
culture at all—the Iris guys knew that negotiations had 
reached a new phase. 


Bidzos jacked up the urgency quotient instantly. He 
clearly wanted to cut a deal and wasn’t afraid to take the 
conversation in an adversarial direction. He emphatically 
reminded Lotus that RSA had the technology Notes needed, 
technology unattainable elsewhere. Without crypto, big 
corporations that wanted their communications protected 
would never use Notes. As far as he was concerned, Jim 
Bidzos had Ray Ozzie by the balls, and made sure he knew 
it. This aggressiveness unnerved Ozzie and his colleagues. 


Bidzos’s come-on was so intense that for weeks the 
speculation at Iris and Lotus was whether this pushy Greek 
was actually some sort of intelligence agent who’d been 
planted at RSA to control crypto. Still, Bidzos’s appearance 
broke the stalemate. He could switch from an iron glove to 
a velvet one. He reassured the Iris people that RSA— 
meaning Ron Rivest and some moonlighting MIT colleagues 
—could actually help to build the RSA algorithm into the 
product. And his financial demands were nowhere near the 
fantasy figures that Bart O’Brien had demanded earlier. In 
fact, one of his chief criticisms of his predecessors was their 
ridiculous financial demands. 


Meanwhile, Ozzie had convinced Lotus CEO Mitch Kapor 
that public key technology was essential to Notes and it was 
time to come in with a solid offer. Lotus dangled before the 
troubled crypto company something it needed desperately: 
a cash advance against royalties. The figure was $200,000, 
but Lotus wouldn’t pay all of that until the development 
work was done. Upon signing, however, Bidzos would get a 
check for $50,000. At that point, $50,000 represented the 
difference between life and death for RSA Data Security. 


The contracts were drawn that summer, to be executed in 
October, when Bidzos would go to Lotus’s new 
headquarters on the Charles River in Cambridge, and he 
and Mitch Kapor would both sign the contract. But when 
the RSA contingent arrived that day they sensed a profound 
disarray at Lotus. Sitting in the waiting room, Bidzos 
reached for a copy of the Wall Street Journal. On the front 
page was one of its trademark ink-pen portraits—of Mitch 
Kapor. It accompanied a story that said that Kapor was 
resigning from Lotus to pursue those ever-compelling 
personal goals. Essentially, the former transcendental 
meditation teacher had grown intolerant of the business 


world’s soul-battering minutiae, and he was following his 
muse out the door. 


Before Bidzos had a chance to assess the impact of this on 
the still-unsigned contract, a receptionist summoned him 
upstairs. Kapor was there, his muse apparently still 
loitering in the building. “I don’t work here anymore,” he 
said. “But Ed Belove will take care of you.” Belove, a vice- 
president who had worked on the deal, had the authority to 
sign the contract, and he did. 


With that money, RSA was able not only to keep its doors 
open, but also to start distributing Mailsafe. Who was the 
audience for such a personal computer-based cryptography 
product? The RSA people really didn’t have an idea. The 
mainstream of the American public didn’t consider 
encrypting e-mail a pressing concern. On the other hand, 
there was a vast number of career paranoids who found the 
product immediately attractive. 


One particular caller seemed to embody this arcane 
demographic. Around the time Mailsafe shipped, calls 
started coming in to RSA that began with heavy breathing. 
Then an anxious voice would burst out, How big are the 
keys that come with Mailsafe? And they’d tell him, “One 
hundred forty digits.” Then, puff puff he’d ask, How hard is 
that to break? and they’d say it would take a 
supercomputer a trillion years to find the key. Can I set 
bigger keys? he’d ask, pant pant, and they’d tell him yes 
and then hear heavy, almost frenzied wheezing on the line. 
Can the government break that? Uh-uh. Can the NSA break 
that? The next day, he’d call back, asking essentially the 
Same questions. He became known at RSA as the Obscene 
Crypto Caller. “He obviously thought we were some huge 
company that wouldn’t know it was the same guy calling,” 


says Bidzos. “In fact, we’d all huddle around and listen to 
him when he called.” 


Would RSA sell its product to the Obscene Crypto Caller? 
Yes, it would. Just as the NSA had feared, here was a 
company that would sell to anybody. And as long as RSA 
didn’t send it across the borders of the United States, the 
company was perfectly within its rights to do so. It wouldn’t 
ask why people wanted to use it: that was nobody’s 
business but the buyer’s. It would even ship to post office 
boxes. 


Sometimes Bidzos himself would talk to customers when 
they called. One fellow in Pittsburgh quizzed him at length 
on the strength of the product, particularly on whether the 
government was able to break it. Bidzos asked him why he 
wanted Mailsafe. It turned out the guy sold surveillance 
countermeasures, like equipment that swept rooms for 
electronic monitoring bugs. Bidzos immediately realized 
that he had something in common with the man: both of 
them dealt in tools that were regulated by a government 
with a high stake in restricting the most powerful 
technology in the field. The conversation would also get 
Bidzos wondering whether he was being bugged. 


But Mailsafe was a sideshow; Bidzos realized that RSA’s 
revenue stream would mainly be the big companies that 
licensed the RSA toolkit and built encryption directly into 
their own products. After the hurdle of the first big deal 
with Lotus was cleared, a number of large customers— 
including some of the most influential in the land—fell into 
line over the next few months. First came Motorola, which 
wanted public key technology for secure telephones. Then 
came Digital Equipment Corporation and Novell, both 
companies that required a means to secure computer 
networks. 


All of these deals were closed by RSA’s supersalesman Jim 
Bidzos. When negotiating with potential licensees, he had 
the ultimate weapon: the patents for the technology. Before 
naming a price, he would speak at length about the nature 
of encryption and authentication, drawing deeply on his 
informal tutorials from Diffie, Rivest, Adleman, and Shamir. 
By then, Diffie had decided not to work for RSA formally 
—“T’ve never had a start-up personality; I’ve never been 
able to work on anything but what I was interested in at the 
moment,” he later explained. The company instead needed 
people like Rivest, who could focus his attention and write 
thousands of lines of product code in a few weeks. 


Bidzos had himself become quite an explicator of the 
crypto revolution. He understood completely how what 
would later be called the Network Effect was absolutely 
crucial when it came to public key cryptography: its value 
increased exponentially by the degree to which it spread 
throughout the population. For that reason, he almost 
always insisted that RSA be built into the basic product, so 
buyers would get crypto without specifically having to ask 
for it. 


Only when Bidzos finished his rap would he get into the 
terms of the deal. The kind of arrangements he liked the 
best were those that involved getting encryption into the 
hands of thousands, maybe even hundreds of thousands, of 
users. With a customer base that size, RSA would demand 
only a few dollars per seat. A dream began to form: a world 
where everybody could, and did, communicate with the 
privacy that encryption provided; a world where people 
could not only swap mail but sign contracts and pay bills 
with all the safeguards available in the physical world. And 
RSA would get a piece of all that. It was the ultimate 
salesman’s dream. But it was also the NSA’s nightmare. 


For a crucial period in the mid-1980s, however, Bidzos 
heard little from the government. He says that there were 
occasional rumors that some officials were quietly urging 
some sort of action against RSA, action that might have 
been devastating to the fragile young company. “Buy them, 
threaten them, do something—just stop them,” he’d heard 
they were saying. “There are a million ways to do it.” But 
nobody did. So, his theory went, the government simply sat 
back and waited for RSA to self-destruct. 


The government skeptics underestimated Jim Bidzos. By 
the end of the summer of 1986, he had transformed the 
company and won the trust, if not the total enthusiasm, of 
all three of the firm’s namesakes. Ron Rivest had become a 
good friend, and was the most committed of the trio. He 
saw Len Adleman in Berkeley, who was amiable but 
somewhat reserved—though still a shareholder, he’d 
apparently had enough of the business life. Then in August 
Bidzos met Adi Shamir, who had moved back to Israel but 
was in the Bay Area before heading to Santa Barbara for 
the annual Crypto conclave. Bidzos spent the day with him. 
He found Shamir very bright and very intense, and the 
businessman took pains to solicit ideas from the 
cryptographer—who was, after all, also a shareholder—on 
RSA‘s various opportunities for success. 


Relations were not as good, though, with Marty Hellman. 
In the 1980s, Diffie’s coinventor of public key had tried to 
go into business himself selling crypto solutions under the 
name Hellman Associates. But the venture never took off, 
perhaps because much of his energy in the eighties was 
devoted to intense involvement in an antinuclear group 
called Beyond War. “The importance of cryptography 
couldn’t compare to the importance of the danger to human 
survival, and so I worked on the issue of making sure the 
human race survived,” he later explained. Still, now he 


seemed upset, even hurt, that this company based in part 
on his ideas was finally beginning to make it, particularly 
since he disagreed with parts of RSA Data Security’s 
approach to public key. Bidzos says he tried to bring 
Hellman in, and arranged a sort of reconciliation with all 
the other public key creators in a dorm room at Crypto ’86 
that August. Hellman, Bidzos recalls, was emotional as he 
voiced his complaints. But nothing came of the meeting, 
and for years there was a chill between Hellman and the 
others. Bidzos says he later offered Hellman stock in the 
company, begged him to take it—he’d already given shares 
to Diffie. But Hellman refused, claiming that he wasn’t a 
stock guy. (He did accept a stipend to become a 
“distinguished associate.”) 


Had he taken the stock, he would have eventually cleared 
well over a million dollars, as Diffie did. This was in contrast 
to the pitifully low sum paid to them by Stanford, which 
held the actual patents for their breakthroughs—Diffie’s 
own share came to only about $10,000. 


In any case, RSA Data Security, Inc., was beginning to 
take off. But now it was triggering the NSA’s radar. And the 
first to notice were RSA’s customers. 


patents and keys 


To Ray Ozzie the whole thing was a no-brainer. He was 
creating a product by which people exchanged information 
that they might want to protect. Including encryption in the 
product was simply a means of providing them that 
protection. It was simple business. It was common sense. 
But now that Lotus was actually preparing to include RSA 
as an essential component of Notes, he found himself waist 
deep in a thicket of red tape concerning its export—almost 
as if he were a virtual enemy of the state. To his horror, he 
discovered that as far as the export rules were concerned, 
even a Strictly commercial program that helps people run 
their businesses is considered a weapon. Not a handgun or 
a stiletto, either, but a weapon of mass destruction, like a 
Stinger missile or a nuclear bomb trigger. 


Ozzie could have simply avoided the whole mess by not 
exporting his product. On a practical level, though, limiting 
sales to America was unthinkable. It would mean cutting 
potential revenues at least in half. Software for personal 
computers was a global market, particularly when it came 
to big corporations that were the prime consumers of 
Notes. But such a market hadn’t existed when the export 
regulations were created. When Ozzie and the Lotus 
lawyers did their research, they found that crypto export 
licenses were generally issued only when the exporter 
(typically some company with ties to the military 
establishment) was able to identify and vouch for the 
friendliness and trustworthiness of the final users. The 
process was called an “end-user certification.” But Notes 
was a mass-market product, sold shrink-wrapped like a 
cassette tape. The users would be... just plain people. To 
their dismay, the Lotus lawyers were unable to find any 
previous case where a crypto export license had been 
issued in those circumstances. 


To wend one’s way through the political, technical, and 
spookified minefield of these regulations and restrictions, 
you needed a white-shoed D.C. lawyer-minesweeper, so 
Lotus went out and got one. His name was Dave Wormser. 
His first piece of advice was to go directly to what would be 
the source of all objections: the NSA. The law didn’t require 
this—the specified avenue was the State Department—but 
Wormser knew that even filling out an application would be 
a waste of time unless they knew what the minds behind the 
Triple Fence might find troublesome in the product. 


So, in mid-1986, not long after inking the deal with RSA, 
Ray Ozzie went to Fort Meade, Maryland, to see what he 
was up against. He was accompanied by Wormser and Alan 
Eldridge, the Iris engineer who was in charge of the 
security components in Notes. Ozzie was thirty years old at 


the time, just a bit too young to have been swept up in the 
sixties rebellion but still old enough to have a skeptical 
attitude toward the military. As a heads-down engineer and 
product developer, though, he had little idea of what he had 
stumbled into. 


Ray Ozzie, of course, knew nothing about the similar 
journey made over a decade earlier by Walt Tuchman of 
IBM. Tuchman, too, had been an outsider with a plan that 
would extend the powers of crypto beyond the area that 
The Fort had cordoned off for itself. The NSA, confident that 
a company like IBM would never defy a request made in the 
name of national security, had originally felt it had risen to 
that challenge, but in the years after the approval of the 
Data Encryption Standard, it had become clear that the 
problem had not gone away. As crypto edged its way more 
and more into the public sector—and DES became more 
and more common within U.S. borders—certain forces 
within the NSA now saw the approval of DES, despite IBM’s 
extraordinary concessions, as a horrible mistake. Who knew 
that everybody from middle managers to grandmas were 
going to be using computers strong enough to do industrial- 
strength encryption? To some in the agency, the arrival of 
the Lotus team was probably the strongest indication yet 
that crypto was already leaching out into the mainstream. 
To those NSA people, Ray Ozzie’s visit meant that the 
crypto barbarians were indeed at the gate. 


Fort Meade, with its fences, its guardhouse, the long 
hallway with pictures of obscure generals, the generic 
meeting room you’re ushered into with furniture that 
looked like it had been there since the McCarthy era, was 
pretty intimidating. It made Ray Ozzie think, These people 
are obviously in control and they know it. 


The meeting began when several NSA officials came in. 
One of them, apparently the case officer on this matter, 
began questioning the trio. (This particular functionary— 
Ozzie is loath to disclose his name—wound up following the 
progress of Notes for more than ten years.) What was the 
product? When would it be ready? What sort of 
cryptography do you hope to use? Ozzie and his team 
described their hybrid crypto scheme: RSA for the key 
exchange and DES for the actual encryption. 


But the very mention of DES made the NSA people go 
nuts. “Tl tell you right now,” one of them said. “You’re not 
going to export DES, no way, under no circumstances... 
you will never export DES.” This seemed strange: hadn’t 
the NSA put its seal of approval on DES? Not to be 
exported to anyone with a couple hundred bucks to spend, 
baby. The NSA functionary explained that DES was not 
merely a cryptosystem but a red-hot political issue at The 
Fort, with implications that a private-sector engineer would 
not understand and had no need to understand. 


Ozzie didn’t know it then, but the NSA was going through 
a period of post-Data Encryption Standard remorse. In fact, 
the agency was just then working on a project of its own 
called the Commercial COMSEC Endorsement Program, 
which it hoped would kill off the Lucifer-based cipher and 
replace it with a cryptosystem of its own, dubbed Project 
Overtake. The ostensible reason was that widespread use of 
DES “could motivate a hostile intelligence organization to 
mount a large scale attack” on the cipher. This in itself was 
sort of ironic, since it was the NSA that mandated the 
smaller key size for the code, thus making it vulnerable to 
such an attack. The real problem wasn’t that DES was 
weak, but that it was sound, too sound for a cryptosystem 
used by the general public. DES now threatened to fall into 
much wider use than the agency had estimated—and if 


mass-market public key systems like Notes used DES, the 
problem would get far worse. So Fort Meade now viewed 
the cipher as a rogue element in its global mission. The 
solution was for the NSA to come up with its own cipher, 
which would be strictly under its control. 


Yet Project Overtake was a doomed initiative because its 
potential private-sector customers weren’t buying. For one 
thing, its technology was expensive and clunky. It involved 
audiocassette-sized devices built to snap into computers. 
The boxes cost well over $1000 each. Worse, the banks and 
other financial institutions asked to participate in this 
project were given no control over the system. The 
algorithms themselves were protected. The boxes would be 
tamperproof. Even the keys were to be generated and 
distributed by the NSA itself. What assurances did the NSA 
give that the agency would not be keeping copies of the 
keys for itself? In a rare public interview in the Wall Street 
Journal, an NSA representative sniffed, “We have better 
things to do with our time.” In other words: Trust us. 
Elsewhere in that article, the NSA’s neo-Stalinistic 
marketing tactics were examined. A banking executive 
described a typical Project Overtake sales call: “An NSA guy 
stands up and makes pronouncements. ‘You guys have to do 
this.’ It’s a directive. You can imagine how far this gets 
them.” No, thank you, said the banks. They’d stick with 
DES. 


Though Ray Ozzie was unaware of all this, he was 
beginning to realize that the idea of exporting crypto was a 
very big deal for these guys. As the obstensibly amiable 
interrogation continued that day, it became clear that the 
NSA people did not even have the vocabulary to deal with a 
mass-marketed product with strong security like Lotus 
Notes. “They had dealt with people who knew their 
customers, and could vouch for them with end-user 


certifications,” says Ozzie. “But we had to explain to them 
that our industry didn’t work that way.” When Ozzie tried to 
elaborate on this, his attorney began kicking him under the 
table—this wasn’t the kind of thing that the NSA wanted to 
hear. But Ozzie felt it important to defend the crypto 
component in Notes, explaining that if people were going to 
use the product, they’d be risking their entire businesses on 
the security of the information. That argument didn’t seem 
to impress the spooks. 


Flying back to Boston after that first meeting, Ozzie asked 
himself, Would it really be so bad to distribute Lotus Notes 
only within the United States, and avoid this whole battle? 
But that approach would be financial suicide. You simply 
could not compete if you wrote off the global marketplace. 


So Ozzie had the lawyers arrange another meeting, this 
time in Cambridge. Had the National Security Agency 
softened its position at all? “Just to make sure you know 
where we stand,” said one of the NSA representatives to 
the Lotus people, “we’ve long known you’ve had encryption 
in Lotus 1-2-3, and from our standpoint that’s within our 
jurisdiction. We could stop your shipments of 1-2-3 
tomorrow if we felt like it.” 


Lotus 1-2-3, of course, was the spreadsheet that provided 
the lion’s share of the company’s revenues. It was the most 
popular software product in the world and a huge 
percentage of its sales was overseas. What was the 
“encryption” to which the NSA referred? Lotus’s 
spreadsheet program contained a simple password option 
that blocked access to unauthorized users. Now, it was 
highly unlikely that the U.S. government would dare halt all 
shipments of software that used passwords, an act that 
would cause the entire personal computer software 


industry to collapse. Still, the threat had its effect. Ozzie 
glanced over at his lawyer, and saw a look of sheer panic. 


In the course of that meeting and several others over the 
next three years, it became very clear to Ray Ozzie that no 
matter how crucial Lotus Notes might be to his company or 
even to the U.S. economy, any approval he got for export 
would be on the government’s terms only. On the other 
hand, he was relieved that no one dealing on behalf of the 
NSA ever made any demands on what encryption might be 
sold within the borders of the United States. (Such a 
demand would have been a violation of the Computer 
Security Act, but who knew where those guys would stop?) 
Whenever Ozzie indicated that export restrictions might 
force Lotus to release two versions of Notes, one with 
strong encryption for domestic use and the other for 
approved export, the government negotiators would shrug 
and say, “Well, that’s your decision.” At times Ozzie would 
wonder whether the NSA wanted Lotus to create some 
secret skeleton key by which the spooks could quickly 
unscramble messages encrypted by Notes. He once probed 
to see if that was the case. “What the hell do you want?” he 
asked his tormentors. “Are you waiting for me to offer you a 
back door?” The response was immediate: No, we don’t 
want you to compromise the security of the product. “So 
what the hell do you want?” Ozzie would ask, and he’d get 
no good answer. And the stalemate would continue. 


Finally, around the middle of 1987, Ozzie and his team got 
a concession from the NSA: If Lotus dropped DES and 
found a replacement cipher, the government would 
evaluate that cipher’s strength and allow Notes to be 
exported, with a key length that the parties would then 
negotiate. Lotus immediately hired Ron Rivest to cook up a 
new encryption algorithm. After a few weeks of intense 
work, he came up with his own cipher that he named RC-2, 


for Rivest Cipher 2. (A first effort was shelved.) Rivest’s 
system was similar to DES in that it was a block cipher that 
used complicated substitutions, but unlike DES, it hada 
variable key length. Lotus paid for all the development costs 
but allowed RSA to hold the patents. Rivest submitted the 
code to the NSA in 1987; not long afterward, he heard that 
the Triple Fence crypto wizards required a couple of 
tweaks. 


“How do you know they’re not doing something to 
weaken it?” Ozzie asked him. 


Rivest replied that the government’s comments actually 
made good sense, so he felt safe making their changes. That 
took a month or so, and the negotiations picked up again. 
Not that they were getting anywhere. “The content of the 
meetings was getting very thin,” says Ozzie. “I believe we 
were definitely being stalled.” His impression was that 
there was strife within the NSA itself on how to proceed. 
During 1987 and 1988, the lack of an export license wasn’t 
that much of a crisis for Lotus, because Notes was one of 
those ambitious software efforts that were years late in 
production. So the encryption issue wasn’t holding up the 
product itself. But as 1989 rolled around, it looked like the 
program might finally be ready to ship. Now an export 
solution was essential. 


The only thing that Lotus had going for it, really, was 
perseverance. Not that Ozzie had any alternatives. Every 
time he’d mention the possibility of shipping a product only 
in the United States, the marketing people insisted such a 
course was just not financially viable. So he kept pressing. 
Kept asking for more meetings with the NSA. Kept 
supplying any and all information the government 
requested. So much information, he figured, that if he ever 
did get an export license, there wouldn’t be a chance in hell 


that the government could come back and say, “Hold on, 
you didn’t tell us that the system works like this.” That 
would give it an opportunity to stop shipments. So Ozzie 
made sure that Lotus completely fulfilled even the Defense 
Department’s most trivial requests. 


While Ozzie was definitely the supplicant, he did have 
some leverage. “Are you telling me that I have to go to my 
congressman and tell him you’re preventing me from 
shipping my product overseas?” he’d ask the export 
gatekeepers. “How much of an issue do I have to make of 
this?” Lotus may not have been a multibillion-dollar 
company, but it was the biggest company in the software 
industry at the time, and it wouldn’t have looked very good 
to have some faceless spooks barring the door to the 
darling of the business press. 


Suddenly, inexplicably, the ice broke in mid-1989. Ozzie is 
convinced that the struggle within the NSA had finally 
ended in a compromise. “It was clear that there were 
people for us and people against us,” he says. “Originally 
they’d been meeting with us because it was their job and 
they were curious about what we in this new personal 
computer industry wanted. Then I believe there were 
severe internal battles, with some people in favor of letting 
a little crypto out, to make us go away. And others who 
didn’t want a precedent set, and wanted nothing out.” 
Apparently the former prevailed. An offer materialized. 
Verbally, of course. A written offer would be akin to a 
binding promise, an animal that does not exist in the export 
control menagerie. 


Here was the offer: Lotus Notes could ship overseas with 
RSA and RC-2 encryption built in, with a key size of 32 bits. 
The NSA people thought that was a major concession on 
their part. After all, their job was to break codes. So they 


had to be very concerned about what might happen if the 
president or the National Security Council came and asked 
them to break a message encrypted in a program they’d 
allowed exported. Their first instinct had been to permit 
only a 24-bit key. But “after serious leaning on NSA senior 
policy people,” said one of the government reps, they were 
willing to “go the extra mile” and allow what it considered 
unusually strong 32-bit keys. 


Unusually strong? The Lotus team was appalled. That 
meant that the keys one chose to encrypt and decrypt data 
were limited to a universe of just over four billion keys. 
While you wouldn’t want to try to crack this by hand, it was 
totally lame in the age of supercomputers. For the silicon 
sweathogs in the basement of Fort Meade, finding a key 
among four billion was a definite yawner. In the meeting, 
the NSA folks admitted that their supercomputers could 
indeed crack such keys inside of a couple of days (an 
estimate that seemed rather modest). But potential data 
thieves didn’t really need supercomputers to crack a code 
scrambled with a 32-bit key. If they were determined 
enough, and had serious dollars to spend as well as time to 
kill, they’d be able to throw enough personal computing 
power at the problem to find the keys. According to RSA 
estimates, this could be accomplished within 60 days. The 
government officials insisted that this was plenty of security. 
“Who would go to the trouble to break a single corporate 
message or several of them at 60 days a pop?” they asked. 


This seemed to ignore the guiding high-tech principle of 
Moore’s Law, which dictated that personal computers would 
double in power every eighteen months or so. So, that 60 
days would soon be less than a month. By 1995, the time to 
crack a 32-bit key would be less than a week. But all of that 
was almost beside the point. True, for most relatively 
innocuous messages sent on Lotus Notes, spending days or 


weeks on decryption was excessive. But some of the 
information transmitted by these multimillion-dollar 
companies was bound to be valuable. And how would Lotus 
be able to assure those firms if the key length was limited to 
32 bits? It couldn’t say that breaking the code was 
unimaginable—or even a challenge. Basically, getting hold 
of a secret message would be little more than a nuisance. 


There was no legal reason, however, to stop Lotus from 
producing two versions of the product: an export version 
with 32 bits and a much more secure version for use only 
within the United States. The latter used Lotus’s preferred 
key length of 64 bits, a degree of strength many times more 
difficult to crack than the export version. (Remember, each 
single bit doubles the size of the keyspace. A key that’s 
twice as hard to guess as the 32-bit version would not be 64 
bits long, but only 33 bits. The domestic version, then, was 
like doubling the difficulty 32 separate times, changing the 
time frame to crack a key from days to aeons. The bottom 
line was that it required no stretch of the imagination to use 
brute force to come up with a 32-bit key. But considering 
1989 computer power, one could reasonably declare such 
an attack on a 64-bit key next to impossible.) 


The drawbacks of producing two products of different key 
strengths were daunting. The obvious logistical costs—two 
packages, two sets of disks, two inventories of products— 
were only the beginning. Ozzie and his team had to make 
sure that both versions operated with each other. Because 
the target customer base for Notes included multinational 
companies like General Motors, the software had to be 
written so that companies with some users in the United 
States and others overseas could communicate securely. So 
Lotus had to have the product work in such a way that 
people didn’t have to worry whether or not some of the 
recipients of an e-mail might be in Spain or Kansas City. 


Essentially (though none of this was apparent as one used 
the product), each person who used Notes was given two 
sets of keys—an international pair and a domestic pair. 
Implementing this was a programming nightmare. But, says 
Ozzie, “we were not going to compromise in this country,” 
so Lotus went ahead and did the work. 


The one problem that simply could not be coded around 
was that the government-imposed limitation made the 
international product much, much weaker than its 
American cousin. You could view it as a bug, but one that 
was built into the product. Would international customers 
reject it for that reason? 


At first, they didn’t—mainly because the entire idea of 
buying a product with built-in encryption was so novel that 
customers weren’t attuned to the nuances of security. “We 
were trying to sell a product that was for uses they didn’t 
know they had,” says Ozzie. “It required a network card 
they didn’t have, a graphical interface they didn’t have. 
Only after we convinced them to put these things in did 
they ask, ‘Is it secure?’ And we’d tell them, ‘Yeah, it’s 
secure; not as much as the version in the U.S., but it’s 
secure.’ And they’d ask, ‘Can someone break in?’ And we’d 
go, ‘Well, if you ganged together thirty or forty personal 
computers, maybe you could. But you’d have to write 
special software and all.’ It was a customer education 
process to let them know we were trying to protect their 
data. It wasn’t for a few years that the questions began 
coming about why the international version isn’t as strong, 
and why didn’t we use DES.” 


Lotus’s hope was that by the time international customers 
got wise to the fact that their version of the software 
offered significantly weaker protection, the government 
would bend its restrictions and allow larger keys. Thirty- 


two-bit keys were just a compromise Ozzie made to get the 
product out the door. “Once we were shipping, and we had 
customers who had pull, we could [have the clout to argue 
for] a change to forty-eight-bit keys [in the export version],” 
says Ozzie. “That was what we were pushing for.” 


But the government seemed to be pushing in the opposite 
direction. The NSA believed that the export version, even 
with that lame key size, was still too strong because of 
certain design elements. These concerned the possible 
reencryption of already-encrypted information—something 
Ozzie figured that, at worst, would make decrypting 
messages only slightly more difficult. Without explaining its 
reasons, the government suggested design changes that 
might satisfy them. The best Ozzie could figure was that the 
issue probably related to the way that NSA cryptanalysts 
broke codes. But settling the matter took months of further 
negotiations, ultimately resulting in significant product 
redesign that made the program run more slowly in certain 
instances. 


Ozzie couldn’t help but wonder: what was the point of all 
this? Did shipping Lotus Notes overseas only in a 32-bit 
version really improve national security? 


The struggle with Lotus over software exports was only one 
sign that after years of inaction, the National Security 
Agency had to wake up and face the challenge of a crypto 
revolution. After the mild panic following the first 
breakthroughs in the late 1970s, officials at The Fort 
thought things were under control. Though Bobby Ray 
Inman’s compromise—the scheme by which crypto 
researchers would voluntarily submit their work to the NSA 
for a once-over—was not foolproof, an impressively high 


percentage of the top independent cryptographers actually 
went through the process. Because the choice was theirs, 
they could justify their decision to comply with the 
principles of academic freedom. Besides, these academics 
had no desire to destabilize national security. 
Correspondence with the spooks was also fun, in a way. It 
provided a certain frisson, not to mention an implicit 
validation that one’s work was indeed serious. In over nine 
times out of ten, the NSA made no suggestions, and other 
times, a minor adjustment would be requested—typically, 
this would be when the researcher inadvertently stumbled 
on some issue that was related to the NSA’s techniques in 
either its codes or its cryptanalysis. 


Furthermore, in at least one case, the NSA actually 
appeared to have intervened on behalf ofa researcher. This 
was none other than Adi Shamir. In the years since leaving 
MIT, Shamir had been extraordinarily productive. Using the 
ideas of public key as a starting point, he and various 
colleagues had come up with new ideas for crypto. Some of 
them were amazing. One that he worked on with Adleman 
and Rivest involved a way to play “mental poker... played 
just like ordinary poker, except there are no cards.” A more 
significant creation was “secret sharing.” Only two years 
after helping invent RSA, Shamir had been intrigued by 
what he considered to be a problem looking for a solution— 
how do you share a single key among several parties, 
particularly when mistrust and suspicion festers among 
them? The classic situation is an electronic equivalent of 
what happens in nuclear missile silos: in order to launch, 
multiple keys must be turned simultaneously, requiring 
more than one person. Could you replicate this safeguard in 
cyberspace? It turns out you could, and once Shamir got to 
thinking about it, he came up with the idea of secret 
sharing, a means to parcel out a decryption key among 
several people. If a foe got hold of any individual’s share of 


the key (known as a “shadow’”), he or she would have no 
advantage in an attempt to retrieve the entire key. 
Implementing that was the only the beginning, though. It 
was obvious how to do it in a way requiring the cooperation 
of all the participants to reconstruct the key. But then 
Shamir thought a little... . What would happen if one of 
those people disappeared or died or was kidnapped? This 
led to the idea to build tolerance, so that if you were given 
any predetermined subset of the keys, you would be able to 
reconstruct the secret. This came to be known as a 
“threshold scheme,” and its uses were endless. A trade 
secret like a recipe for Coca-Cola, for instance, could be 
distributed among ten people, and then you could 
prearrange any number of complicated combinations to 
retrieve the key. If, say, the six least trusted people holding 
shadows of the key got together, they might not be able to 
reconstruct the key. But the most trusted shadow holder 
might be able to build the key with any two other people in 
the consortium. 


In 1986, Shamir and two of his colleagues at the 
Weizmann Institute came up with another innovative and 
potentially valuable technique, known as “zero-knowledge 
proofs of identity.” Using one-way functions, these allowed 
Alice to verify that she knew a number (typically something 
that identified her, like a social security or credit-card 
number) without revealing that number to the interrogator. 
Using this system, Shamir later said, “I could go to a Mafia- 
owned store a million successive times and they would still 
not be able to misrepresent themselves as me [and use that 
information to buy goods, etc.].” Recognizing the value of 
this scheme in future e-commerce transactions, Shamir and 
his coinventors applied for a patent. But in early 1987, the 
patent office informed the cryptographers that, by order of 
the U.S. Army, their invention was now an Official secret; 
circulating information on it “would be detrimental to the 


national security.” Not only were the Israeli scientists 
prevented from discussing it, but they were instructed to 
warn anyone who had seen the paper that sharing the idea 
could put one in jail for two years. Since they had already 
presented the paper at several universities as well as the 
Crypto ’86 conference, and had submitted it to the 
Association of Computing Machinery for publication that 
May, this seemed a difficult, if not futile, task. Furthermore, 
since the authors weren’t even Americans themselves, how 
could the U.S. government tell them what they could and 
could not talk about? 


The NSA apparently wasn’t involved in that secrecy order, 
but soon heard about it from concerned American scientists 
—and from the New York Times, which had been tipped off 
about the controversy. Within two days the order was 
quietly lifted. It was weeks before Shamir learned about the 
reprieve, and he became convinced that the NSA had 
intervened in his behalf. Why? As Susan Landau, an 
academic researching crypto policy, later guessed, the 
agency had intervened to preserve its prepublication 
submission program. If the perception was that submitting 
a good crypto idea could lead to a sudden embargo, the 
flow of papers to the NSA would end. And, as Landau wrote, 
“it is much easier to find out what the competition is doing 
if they send you their papers.” 


As the 1980s came to a close, however, it was clear that 
the voluntary submission system had reached the end of its 
usefulness. The turning point came, significantly, with a 
paper written by Ralph Merkle. Merkle had gone to work at 
the Xerox Corporation, in its famed Palo Alto Research 
Center (PARC). His main area of study—indeed, his passion 
—was nanotechnology, a new science based on molecule- 
sized machines. But he kept up with the crypto world. In 
1989, he wrote a paper that introduced a series of 


algorithms that would speed up cryptographic computation, 
driving down the price of encryption. This in itself was 
threatening to the NSA’s mission. But Merkle’s paper was 
particularly worrisome to the agency because it included a 
discussion of the technology of S-box design. Ever since 
Lucifer, this had been a hot-button issue at The Fort. 


Xerox sent the paper off to the NSA for a prepublication 
review. (Apparently, it had hopes of one day getting an 
export license for a product based on Merkle’s research.) 
As usual, the NSA itself circulated it to experts both inside 
and outside the Triple Fence. But this time the result was 
not a helpful correction or gentle request for a change in 
wording. The agency wanted the whole paper suppressed, 
claiming—without explaining why, of course—that 
circulating Merkle’s scheme would be a national security 
risk. 


Xerox, as a huge government contractor, quietly agreed 
to the agency’s request. Normally, that might have been the 
end of it. But in this case, apparently one of the outside 
reviewers of Merkle’s paper was upset that the agency had 
spiked it—so upset that he or she slipped it to an 
independent watchdog, a computer-hacker millionaire 
named John Gilmore. 


Gilmore had a weapon that wasn’t available a decade 
earlier, when the prepublication process was initiated: the 
Internet. One of the most popular Usenet discussion groups 
on this global web of computers was called sci.crypt. It was 
sort of an all-night-diner equivalent of the yearly Crypto 
feasts in Santa Barbara, featuring a steady stream of new 
ideas, criticism of old schemes, and news briefs from the 
code world. Gilmore posted Merkle’s paper to the group, 
and in an instant, it went out to readers on 8000 different 


computers around the world. Cyberspace had made the 
NSA’‘s prepublication system irrelevant. 


The agency rescinded its request to withhold publication. 
Anyway, by then even the bureaucrats at The Fort were 
getting wise to a new reality: its real challenges weren’t 
coming from academic papers but from the marketplace. 
And the prime example was that once moribund public key 
software company, now rejuvenated by Jim Bidzos. 


As the 1990s approached, Bidzos was dancing a 
complicated pas de deux with the National Security Agency. 
Though he had no real proof of it, he now imagined that 
behind the scenes it was working overtime to sabotage him 
and his company. It seemed that a lot of his potential 
customers showed enthusiasm at first, but then 
mysteriously stopped returning his calls. There were also 
government agencies whose interest in deploying his 
products suddenly evaporated. Bidzos felt in his bones that 
the silence resulted not from a failure of his sales prowess, 
but from clandestine pressure from Maryland. 


He even came to wonder about the nature ofa 
relationship he had with a woman who for some reason 
spontaneously began giving him inside dope on the NSA. It 
had seemed plausible at the time, but later he wondered 
whether she was being paid to feed him disinformation. “I 
believe in the intelligence community they call it a ‘honey 
trap,’ ” he later said. It was ironic that from time to time 
people would still wonder whether Bidzos was some sort of 
double agent, putting on a charade of fighting the NSA 
while secretly implanting back doors in his company’s 
technology. In his mind, he truly believed that he was the 
single greatest thorn in the agency’s cybernetic paw. 


But what really scared Jim Bidzos circa 1990 was not the 
National Security Agency, but a far more immediate threat 
to his business. It involved not the government but the 
public key cryptography patents that were the foundation 
of his technology. The problem involved a company whose 
products didn’t compete directly with those of RSA—but 
whose patents threatened the company’s existence. 


The company was named Cylink, and its own history was 
considerably more placid than the roller-coaster ride of 
RSA. Its cofounder, Jim Omura, was a Stanford Ph.D. who 
became a UCLA professor in electrical engineering. His 
main field was information theory. Like just about everyone 
in computer science back then who didn’t work for the 
NSA, he knew almost nothing about cryptography. But he 
knew of a young associate professor at Stanford who was 
interested in the subject. “I used to ask him, ‘Why waste 
your time in cryptography?’ It seemed like there was 
nothing there,” says Omura. Fortunately for the invention of 
public key cryptography, the professor—Marty Hellman— 
didn’t take Omura’s advice. 


By the late 1970s, Omura’s views had changed, however, 
and he became an expert in the field. For extra money he 
would teach a five-day cryptography course to people in 
industry, mainly government contractors who wanted to 
develop products for the military. It covered the basic 
principles of crypto, and he taught it not only in the United 
States but also in places like Switzerland. “We had to be 
careful not to include any classified knowledge,” he says. 
Omura himself had never been briefed with classified 
material, but who knows what the government might 
consider verboten? 


After a few years, Omura and a friend began tinkering 
with actual code, and they came up with a hardware 


product: a silicon-chip implementation of public key, using 
the Diffie-Hellman key exchange. He went to another 
friend, Lew Morris, who was an early participant in Sun 
Microsystems, and they began to explore the idea of making 
a business out of it. They wrote a business plan, and started 
making the rounds of venture capitalists. 


This was in 1984, about the same time that RSA was 
going through its roughest period. Omura and Morris didn’t 
find the going any easier. “The venture community then 
couldn’t have cared less about information security,” says 
Omura. It was only through a private referral that the 
business plan fell into the hands of Jim Simons, who was not 
only a mathematician and cryptographer (he’d been one of 
the early reviewers of Lucifer) but dabbled in venture 
capital as well. He agreed to help put the newly dubbed 
Cylink company on its feet. 


Unlike RSA, which had a mission of getting crypto into the 
hands of the general public, Cylink focused on securing the 
communications of big companies, typically those that were 
government contractors. Cylink wasn’t about to push the 
envelope of what the NSA would or would not permit. Its 
first product, shipped in 1986, was dubbed the CIDEC-HS 
(so much for sexy branding). It was a chip-stuffed metal box 
that scrambled telephone communications within a 
company, using a hybrid crypto system: Diffie-Hellman to 
generate keys, DES to encrypt the data. Since many of 
Cylink’s customers were financial institutions that had 
already won clearance to use DES-based cryptography 
(including SWIFT, the international clearinghouse for bank 
transactions, which handled over a trillion dollars on a slow 
day), Cylink didn’t run into the export problems plaguing 
software companies like Lotus. It quickly became profitable. 


From the start, of course, Cylink had gone to Stanford 
University to license the Diffie-Hellman patent. At first, the 
arrangement was nonexclusive. “Stanford was deliriously 
happy,” says Robert Fougner, Cylink’s general counsel. 
“They'd finally found someone who was going to actually 
use the patent, and we made a very, very good deal with 
Stanford.” During the mid-1980s, in fact, while RSA was 
struggling to establish itself, Cylink seemed to be the only 
company turning a buck from public key. The relationship 
with Stanford flourished. Eventually, Cylink proposed that 
the university give the company additional rights to the 
public key patents. Essentially, it wanted to control all the 
patents itself. When others sought to devise and market 
potential public key crypto schemes, they would go not to 
Stanford for the licensing rights, but to Cylink for 
sublicensing rights. 


Stanford agreed to this, but there was a significant 
wrinkle: a continuing conflict over its patent rights and 
those of MIT, which owned the RSA patent. Stanford 
believed that its patents were, essentially, the public key 
patents, since they embodied the broad idea of split-key 
cryptography. By this logic, anyone who wanted to use the 
RSA scheme would also have to license the Stanford 
patents. MIT’s lawyers, however, believed that RSA could 
stand alone. This disagreement triggered tension between 
the universities that went on for several years. It was 
(pardon the expression) a low-key dispute, since there 
wasn’t much money involved at the time. 


Even so, everyone felt that a dispute between two august 
institutions was unseemly, and finally the parties reached a 
compromise. Stanford bundled all its public key patents and 
sublicensed them to MIT. MIT in turn transferred those 
rights to RSA Data Security, Inc. This removed a huge cloud 
hanging over RSA, whose system really did depend on the 


original public key idea of Whit Diffie and Marty Hellman. 
Now its software was not only fully covered by patent 
protection, but there was no question of infringing on the 
Stanford patent. 


While this was fine for RSA, it put Cylink ata 
disadvantage. Now if someone wanted to license public key 
crypto, they could go either to Cylink or to RSA Data 
Security. But only from RSA could they acquire the rights to 
the public key system created by its founders. This didn’t 
become a problem immediately, since the two companies 
were pursuing different customers. While both championed 
public key and were located within ten miles of each other, 
Cylink was, in Fougner’s words, “very insular, very 
inward .. . focused on our technology, on making a good 
product, on selling that product to a [limited, but] nice 
portfolio of customers.” On the other hand, RSA’s 
marketplace was the broader world of personal computing, 
with their eyes on a mass market. 


Almost inevitably, though, the companies found 
themselves up against each other. Because of the way the 
patents were divided, each company had an interest in 
encouraging a certain approach to public key software— 
and disparaging the other approach. Because Cylink didn’t 
have access to MIT’s patents, it aggressively promoted the 
idea of using the Diffie-Hellman key exchange. Previously, 
people in the field had thought that, in a practical sense, 
the Stanford-derived work only provided for a way for two 
parties to agree upon secret keys; unlike RSA, it didn’t 
outline the means for a full and efficient public key 
cryptosystem. But Cylink believed that by cleverly using the 
Diffie-Hellman patents, users could do everything that RSA 
did, just as elegantly: privacy, authentication, the whole 
works. Jim Omura had written a paper about it in 1987. 
“You could use the Stanford patents to do the same thing as 


RSA,” says Omura. “I think this upset Jim Bidzos because 
suddenly his technology wasn’t the unique technology.” 


“In order for RSA to succeed, it had to promote its 
software implementations, which were really focused on the 
MIT software,” says Fougner. “And here was Cylink having 
obvious commercial success with the Stanford-type 
technology. There was going to be a fight, or there was 
going to be a business deal.” 


Fougner himself joined Cylink as counsel in 1989 
specifically to deal with this issue. On his second day of 
work, he met with Jim Bidzos. He had little idea what to 
expect. Would Bidzos, who already had gained a reputation 
within the budding industry as a pressure artist, play 
tough? Far from it. As Fougner recalls, Bidzos took pains to 
appear submissive, acting as if he were almost in awe of 
Cylink’s financial success. RSA, he told Fougner, was still 
struggling to keep its head above water: Cylink had nothing 
to worry about from RSA. On the other hand, both 
companies faced an uphill battle getting crypto established 
more widely. Both of them, Bidzos said, were evangelizing a 
technology that nobody understood, that nobody wanted to 
pay for. On top of that, here were the two top public key 
companies, each promoting a different implementation, and 
confusing the hell out of everybody! 


Let’s not fight each other, said Bidzos. Why not pool all 
the patents, work together, agree on a public key standard, 
and license the hell out of it? We’ll make a gazillion dollars! 


It made a lot of sense to Fougner. Why not join forces? For 
one thing, he figured, it would probably make Stanford’s 
lawyers happy. They had long regretted granting MIT the 
sublicensing rights to its patents. By making RSA a one-stop 
shop for public key, Stanford had cut itself out of the loop! 


“The joke at Stanford,” says Fougner, “was that the MIT 
deal was often used in their seminars as an example of what 
not to do in patent licensing.” So Bidzos’s idea of putting all 
the patents in one pot (with the promise of more fees for 
the public key patents) sounded very attractive to the 
Stanford people, and they urged Cylink to go along with it. 


On October 17, 1989—the same day that an earthquake 
charting 7.0 on the Richter scale rocked the Bay Area—the 
two companies and the two universities came to an 
understanding. (The formal contract was signed the 
following April.) The patents would all belong to a new 
corporation jointly owned by RSA and Cylink. Control of the 
new entity, called Public Key Partners (PKP), would be 
shared equally between the two parent firms. Bidzos, 
arguing that the MIT rights were worth more (RSA had 
already gained some access to Stanford’s patents whereas 
Cylink had no rights to use RSA’s technology), negotiated a 
favorable revenue split: 55-45 in his company’s favor. 
Meanwhile the universities themselves got only a fraction of 
the potential cash: out of every dollar paid to PKP by 
sublicensees for patent rights, Stanford University would 
get nine cents and MIT would take in a little under fourteen 
cents. 


Omura recalls that after the partnership was established, 
Bidzos tried to get Cylink to downplay the idea that people 
could perform public key functions without the RSA 
algorithm. “He essentially said to me, ‘Now that we’re 
partners, I hope you'll stop promoting the Diffie-Hellman 
approach and support RSA.’ ” Omura told him that his 
company would still use the alternative method, but didn’t 
see why that should be a problem. “It doesn’t matter what 
technology we use,” he said to Bidzos. “We’re partners.” 


“In 1990, who cared?” explains Fougner. “Within a couple 
of years, though, a lot of people cared.” 


Initially, the two executives of Public Key Partners, 
Fougner and Bidzos, worked well together. Technically, 
Fougner was head of licensing and Bidzos the president. 
But the bylaws dictated unanimous consent on any 
decisions. For Fougner, an unassuming corporate lawyer, 
teaming up with a swashbuckling deal-maker like Bidzos, 
the enterprise was sort of a mad adventure. Two wild and 
crazy guys, trying to set a global standard for public key 
cryptography—and make tons of money for their respective 
companies. 


So enamored was Fougner of the idea that he tended to 
shrug off the almost immediate signs that in many ways the 
interests of RSA and Cylink remained divergent. The first 
order of business for PKP was to send a letter to the 
National Institute of Standards and Technology (NIST), the 
government agency that acted as the ultimate referee of 
what protocols the marketplace should agree upon as a 
standard. In large part, the success of the partnership 
between the two companies would depend on whether 
NIST adopted as standards the patents now jointly 
controlled by Bidzos and Fougner. There were actually 
several different cryptographic standards that NIST would 
have to approve: one for digital signatures, one for 
encryption, one for key exchange, and so on. Once these 
were determined, the crypto revolution would be poised for 
liftoff. All the software developers would know exactly which 
algorithms were required for privacy and authentication, 
and they would build them into their programs. All the 
programs would then interact with each other: once this 
got going, a user of Lotus would be able to send encrypted 
mail to someone using WordPerfect, and a Microsoft Word 
user could stamp a digital signature on his or her Intuit 


account ledger. It was a crucial step for a crypto society, 
and NIST knew it. 


The government decided to establish the digital signature 
technology as the first standard. Uh-oh. Cylink and RSA had 
different approaches to signatures, each one based on their 
separate public key religions: Stanford or MIT. Which one 
would PKP offer to the government as its official candidate 
for a standard? Jim Bidzos had the answer: Let’s make this 
one RSA, he said. The Cylink people were unsure; after all, 
they’d been working on Diffie-Hellman signatures for six 
years. Bidzos had an answer to that: We’ll do RSA for 
signature, and when it comes to a key-management 
standard (the means of handling and verifying the zillions of 
digital keys that a large-scale system would handle), we’ll 
do Diffie-Hellman. The Cylink people agreed. Public Key 
Partnership’s letter to NIST, under Fougner’s signature, 
went out on April 20, just two weeks after PKP was formally 
established. It urged that the agency adopt the RSA scheme 
as a Standard. “Public Key Partners,” the letter said, 
“hereby gives its assurance that licenses to practice RSA 
signatures will be available under reasonable terms and 
conditions on a nondiscriminatory basis.” 


But when it came to digital signatures, the government 
had its own ideas. 


In the midst of all that wrangling, Jim Bidzos was still 
concerned with keeping his company afloat. He was now 
working on his biggest licensing deal yet—a broad 
arrangement with the most powerful software company on 
earth: Microsoft, the White Whale of high tech. For the 
previous few years, its wizards had become increasingly 
aware that their customers might need cryptography built 


into Microsoft products. From the company headquarters in 
Redmond, Washington, its chief technical officer, Nathan 
Myhrvold, had begun to circulate memos on how crucial 
this would become. Myhrvold often invoked his 
grandmother, who lived in a small farm community where 
people left their doors unlocked: This was fine in an isolated 
setting where strangers were seldom seen, but simply 
would not do in an urban setting. It was the same with 
computers, he would say; they were moving from isolated, 
unconnected units on desktops to networked nodes in a 
large infrastructure. To protect everything from taxes to 
medical records, you needed locks, and Myhrvold 
understood that public key cryptography would provide 
those locks. 


Myhrvold had been in college when Martin Gardner’s 
Scientific American article about RSA appeared. “I thought 
it was infinitely cool,” he said, and the future physicist (who 
would study under Stephen Hawking at Cambridge 
University) devoured the RSA paper as well as the Diffie- 
Hellman paper that inspired it. A decade later, after a 
software company Myhrvold had started was bought out by 
Microsoft, he had become one of Bill Gates’s most trusted 
lieutenants. He was excited about his opportunity to help 
get public key into the mainstream. As was the case with 
Ray Ozzie and Lotus, he wound up dealing with the obvious 
person: Jim Bidzos. 


The Microsoft license was crucial to Bidzos. It would 
make his technology a security standard for the hundreds 
of millions of customers who used Microsoft’s DOS and 
Windows operating systems as well as its applications like 
the word-processor Word and the spreadsheet Excel. 
Nonetheless, Bidzos approached the negotiations with his 
usual aggressiveness, boasting that, as the patent holder, 
he was the only game in town for crypto supplicants. 


Myhrvold wasn’t intimidated. If RSA is so great, he wanted 
to know, why isn’t anybody else using it? He conceded that 
public key systems may be inevitable, but joked with Bidzos 
that they might not catch on until the patents ran out 
toward the end of the century. 


Bidzos wasn’t fazed, and the negotiations proceeded— 
two major egos, each giving as good as he got. The issues 
were complicated because Microsoft wanted the right to 
modify the code of RSA’s crypto toolkits to suit their 
products. Inevitably, though, as Ray Ozzie had already 
learned, there was an even bigger hurdle facing all of them: 
the export laws. 


Anticipating that including crypto in its products would be 
problematic, Microsoft had begun a dialogue with the NSA. 
Though cordial, the new relationship was uneasy. The first 
few times representatives from Fort Meade ventured to the 
Redmond headquarters, they wouldn’t even reveal their 
last names; to get them building passes, Myhrvold had to go 
to the reception desk to approve badges with first names 
only. “They were reflexively secretive,” says Myhrvold, half 
amused and half annoyed. Worse, they never seemed to be 
explicit about what was and was not permitted. But they 
were vocal about one thing: RSA Data Security. They 
seemed to have it in for the company. 


Obviously, the NSA people did not relish the prospect of 
this upstart company providing a surveillance-proof shield 
to hundreds of millions of Microsoft customers. As Myhrvold 
tells it, they tried to turn him against Jim Bidzos and his 
company. Their method of dissuasion was interesting. 
Without saying it outright, they began dropping broad hints 
that behind the Triple Fence, the cipher devised by Rivest, 
Shamir, and Adleman had already been broken. Myhrvold 
was worried about giving his customers reasonable security 


—if the government could crack the code, why not a crook? 
—so he grilled Bidzos about the NSA’s claim. 


Bidzos was stunned: he’d felt the Microsoft deal was 
almost completed. He sprang into action to refute the 
charges. “We contacted every number theorist, every 
mathematician, every researcher in this field we knew, and 
within twenty-four hours had gotten back,” he says. 
“{[Microsoft was] blown away by what we had done and they 
said that obviously the charge isn’t true.” 


Myhrvold’s recollection is different. He says that the 
refutation was superfluous: he always did believe the RSA 
algorithm was sound. But Myhrvold does say that he teased 
Bidzos by noting that no system short of a one-time pad 
could be provably impervious to cryptanalysis. Bidzos 
answered, quite reasonably, that one could trust a publicly 
published cipher—open to challenge from anyone in the 
community—more than one of the NSA’s secret algorithms. 
RSA’s future was totally linked to the strength of its codes, 
so it had every incentive to make sure those codes were 
strong. “If somebody breaks it,” Bidzos said, “what you’ve 
got are the remnants of a once-valuable company.” In any 
case, Bidzos convinced Myhrvold. To Myhrvold the NSA’s 
antipathy toward RSA was in a sense an endorsement: why 
would the agency want it stopped so much unless it was 
actually hard to break? 


But the NSA wasn’t through. According to Myhrvold, the 
agency made another eleventh-hour attempt to discourage 
Microsoft from licensing RSA, this time questioning the 
validity of the company’s patents. In addition, its people 
speculated that future government standards would not use 
RSA technology, and Microsoft might have an orphaned set 
of algorithms. Bidzos rushed back to Redmond to 


orchestrate a presentation that conclusively proved the 
solidity and breadth of his patent rights. 


According to Bidzos, the final NSA attempt at sabotaging 
the deal came when an agency official called Myhrvold and 
said, basically, “Don’t do it.” (Myhrvold says that he doesn’t 
recollect those words specifically, but confirms the NSA 
conveyed to Microsoft that it believed licensing RSA would 
be a mistake: a powerful disincentive for the software giant 
to link up with this unproven company.) 


Bidzos was furious. As he recollects now, he dialed up the 
highest ranking person he knew behind the Triple Fence 
and laid out what he had heard. Then, before his contact 
could utter a word in reply, he demanded that the official fix 
the problem and call Microsoft back to tell them that the 
agency had made a big mistake. “If that doesn’t work, 
you’re going to answer to the congressman in my district,” 
he said. “If that doesn’t work, you’re going to answer to a 
district attorney, because I’m going to file a complaint. If 
that doesn’t work, I'll try the New York Times. But one way 
or another, if you don’t fix this, I’m gonna make you answer 
for it.” Bidzos more or less expected his contact to deny 
everything, or at least insist that he knew nothing of the 
sabotage. Instead, Bidzos claims, the man said, “I’ll call 
them.” And, according to Bidzos, his contact called 
Microsoft and recanted. 


The path was now clear for a deal. One small point 
holding up the arrangement had been Bidzos’s insistence 
that Bill Gates personally sign the contract. Bidzos wanted 
to display that final page of the contract on his wall, and 
what would it look like without the John Hancock of 
Microsoft’s famous CEO? By implying that Gates’s signature 
might be a problem, Myhrvold brags that he was able to get 


a few deal sweeteners from Bidzos. (But Bidzos gota 
sweetener, too—Gates’s presence at an RSA event.) 


A few days later, over Memorial Day weekend in 1991, 
Bidzos called Fougner to boast about the now-completed 
deal. Fougner recalls being blown away. “Jim, that’s 
amazing,” he said. “You got Microsoft to license your 
proprietary toolkit, and they’re going to put it in their 
operating system? That’s unbelievable! How did you do 
that?” 


“Salesmanship, Bob,” said Jim Bidzos. “I’m a great 
salesman.” 


Salesmanship or not, by early 1991, the future of the public 
key patents was very much in doubt because of the lack of a 
government endorsement. Bidzos was, of course, desperate 
to have RSA established as the standard. Early in the 
process, NIST, the arbiter of the process, had been 
enthusiastic about doing just that. RSA, wrote a senior 
scientist at the agency, was “a most versatile public key 
system.” Indeed, as late as December 1990, NIST was 
trying to convince Bidzos’s foe, the NSA—whose voice in 
the process was crucial—that the system should be 
adopted. Not only was it commercially effective, said its 
representatives in meetings with the intelligence agency, 
but there was no reasonable technical argument for 
anything else. 


But then progress stalled. None of the entreaties from 
Bidzos or Fougner to establish RSA as the standard seemed 
to have been effective. And on August 30, 1991, it became 
clear why. The National Security Agency had devised its 
own scheme. 


Publishing in the Federal Register, NIST proposed a new 
set of algorithms as the prime candidate for a standard. The 
government’s product, known as the Digital Signature 
Algorithm (DSA), was written by an NSA employee named 
David Kravitz. In many ways, it was similar to the RSA 
signature scheme. Both schemes employed a public-private 
key pair. In both, when Alice wishes to prepare a digitally 
signed message, she first applies an algorithm known as a 
hash function, which boils the content down to a 
compressed “message digest.” (This, essentially, is the 
message boiled down to its essence, for easy processing.) 
Then, by way of a mathematical function that uses Alice’s 
unique private key, that message digest is scrambled, or 
“signed.” Both the original message and the digest are then 
sent off to Bob. When Bob—or anyone else—gets the 
message, he now has a way to verify that it was indeed Alice 
who sent it and that the message itself wasn’t tampered 
with in transit. He uses Alice’s public key to “unsign” the 
message and the digest. Then he uses the hash function to 
re-create Alice’s message from the digest. Only if the letter 
came from Alice and only if the content was unchanged 
would the re-creation match the original. 


The government method differed from RSA’s signature 
scheme in one profound way: its public-private key pair 
could be used only for authentication, not encryption. In 
other words, this was a public key system that couldn’t keep 
a secret. Thus it presented no threat to national security or 
law enforcement—literally, it was just what the government 
ordered. “Our underlying strategy,” an NIST official would 
testify to Congress, “was to develop encryption technologies 
that did not do damage to national security or law 
enforcement capabilities in this country. And our 
objective ... was to come out with a technology that did 
signatures and nothing else very well.” 


But NIST, which originally looked favorably on adopting 
the RSA solution, came to adopt this objective only after 
pressure from Fort Meade. During the last months of 1990, 
the NSA had been pushing hard for its system, and in 
February 1991, its new director, General William O. 
Studeman, forced the issue, urging NIST to “cut short the 
debate and get on with the things that need to be done to 
provide the necessary protection.” At the next meeting of 
the two agencies’ joint technical working group, NIST 
representatives raised the white flag, and indicated that 
their management “has accepted the NSA’s proposal.” But 
when NIST publicly signed off on the NSA-created 
algorithm in April, nothing was mentioned about the 
involvement of the secret intelligence agency. 


Bidzos wasn’t fooled, though, and was furious about the 
government’s choice of the DSA as its standard. He 
contended that the NSA had completely subverted the 
Commerce Department, the agency to which NIST 
belonged. Instead of helping American industry, he 
charged, the Commerce Department was now working 
against it, totally in service to the spooks. (This suspicion 
was later bolstered by a congressional investigation that led 
the House Government Operations Committee to declare, 
“NSA is the wrong agency to be put in charge of this 
important program.”) The next step, Bidzos warned, would 
be the unveiling of an encryption standard that didn’t adopt 
the familiar algorithms—his algorithms!—but some new 
ones that the government could break. 


Bidzos had a lot of ammunition for his attack. In purely 
technical terms, it was clear that the DSA was inferior to 
RSA. It was, as one observer put it, “an oddball standard,” 
much slower to verify signatures than RSA’s system (though 
faster to sign messages), more difficult to implement, and 
more complicated. And, of course, it didn’t have encryption. 


Unlike RSA, it had no track record. The government 
scheme did offer one advantage over RSA, however, 
something that Bidzos was hard-pressed to match. It was 
free. Indeed, in the August 30 announcement, the 
government had proclaimed its intention to make its 
signature standard available worldwide on a royalty-free 
basis. 


Bidzos felt he could fight the proposed standard by way of 
a patent challenge. But that would not be easy. Public Key 
Partners, of course, controlled the Stanford patents that 
involved the first digital signatures. But the government 
claimed that its scheme bypassed those patents by relying 
on a different implementation of digital signatures, one 
designed by another Stanford cryptographer named Tehar 
ElGamal. A former student of Hellman’s, ElGamal had 
refined the idea of using the hash algorithm and the 
message digest for digital signatures. But ElGamal had 
made the mistake of publishing before applying for a patent 
(his paper had appeared in 1985), thus forfeiting his rights 
to a patent. So if the government’s claim was correct, the 
DSA was free and clear of any patent claims. 


Bidzos disagreed, but he understood that staking his 
claim would be time-consuming and costly. Still, there was 
one other way to accuse the government of pilfering 
intellectual property. It involved yet another patent. 


This one was based on the work of a German 
cryptographer named Claus Schnorr, who’d patented his 
own digital signature scheme in February 1991. After 
hearing about the DSA, Schnorr insisted that it infringed 
upon his patent, and demanded $2 million from the United 
States. To many observers, this was overstepping: the 
conventional wisdom was that both Schnorr’s and Kravitz’s 
systems were variations of ElGamal’s work. Nonetheless, 


the government was concerned. In its own patent 
application, it took pains to assert that the ideas behind the 
DSA were independent of Schnorr. Still, Schnorr had at the 
least a “scarecrow” patent: a claim that might not prove to 
be defensible in a long, drawn-out lawsuit, but one that 
nonetheless gave its holder a plausible reason to attack a 
similar concept. As long as Schnorr was unhappy, the 
government had a problem. 


Bidzos saw this as a great opportunity. While the 
government dithered, he would try to add the German’s 
patent to the Public Key Partners portfolio. It would be like 
landing on Park Place after already owning Boardwalk: 
patent monopoly! Bidzos found out that Schnorr was 
attending a conference in Marseilles, so he flew there with 
Fougner in tow. They arranged to have lunch at a one of the 
fanciest restaurants in town. The meal lasted for hours, 
with multiple bottles of fine wine delivered to the table. 
Schnorr was in his midforties, a conservative scientist who 
was proud of his most recent triumph—winning the 
lucrative Leipzig Prize. Bidzos quickly figured out the way 
to handle him. “I talked to him like a coach would toa 
tennis player,” says Bidzos. “That he could do it himself, or 
he could let me negotiate his deals and manage his 
contracts and endorsements, so he could work on his 
game.” Fougner was impressed at the hard sell. “Bidzos 
regaled him with tales of his friendship with Bill Gates and 
his global vision of public key cryptography and the 
universe,” he says. 


The meal finally wound down, with the waiters standing 
around, anxious to clear this final table. They moved to a 
pub by the waterfront. Fougner quickly sketched out on a 
piece of paper a transfer by which PKP would receive all 
rights from Schnorr’s patent. At the pub, in the shadow ofa 
fifteenth-century galleon, Schnorr, whether captivated by 


Bidzos’s promises of riches, or just plain exhausted, signed 
the paper. 


When Bidzos got back to the States, he had another in his 
endless series of meetings with NIST. His contacts were 
Dennis Branstad and Lynn McNulty, two computer 
scientists at the agency who were often caught between the 
demands of the public and those of their bosses. In hoping 
to resolve the government’s patent problems, they had 
been desperately urging NIST to buy the Schnorr patent. 
They also wanted to pay off RSA to clear up any alleged 
conflict with the Stanford patents, and they assumed the 
meeting would focus on such an offer. Instead, Bidzos 
began by declaring, “I represent Claus Schnorr and you’re 
infringing on my patent.” 


Bidzos was exultant. “I had never seen two guys look 
more tired,” he later boasted. 


Meanwhile, Bidzos was helping engineer opposition to the 
DSA on other fronts. As a response to the August 30 
Federal Register announcement, NIST had received 109 
comments on the scheme, the vast majority of them critical. 
Companies already using RSA, including Microsoft and 
Lotus, were unhappy that their investment in that scheme 
would be lost, and they would have to develop new software 
for the new standard. Other complaints dealt with the 
relatively laggardly computation rate of the DSA. Also, 
critics were concerned about the vulnerability of the 
scheme. Because the proposed standard used only 512-bit 
keys to calculate the signatures (RSA used 1024 bits), there 
was a question about whether the powerful computers 
inside the Triple Fence might be able to churn out 
forgeries. How could anyone assert that a signature was 
valid beyond question when an intelligence agency had the 
potential to create counterfeits? To Ron Rivest, the whole 


thing was symbolic of the government’s policy in general: 
“What crypto policy should this country have?” he asked at 
a 1992 conference held in D.C. “Codes which are breakable 
or not?” 


Though the controversy never caused major debate 
within the general public, it did ignite some civil liberties 
groups, which had been closely watching the relationship 
between the NSA and NIST. In fact, the balance of power 
between the two agencies was risible—one was the flagship 
of our multibillion-dollar intelligence operation, the other a 
dime-store government backwater. While the liberals and 
the libertarians hoped that the latter organization would 
protect the interests of ordinary citizens, they had little 
confidence it would do so. 


Their fears were justified. A look at the prior history of 
the two organizations laid the blueprint for an imbalance of 
power. After the Church hearings in the seventies, the 
entire organization of the NSA had felt chastened. But in 
1984, at the apex of Ronald Reagan’s presidential power, 
the NSA showed signs of reentering the realm of domestic 
policy. At the apparent behest of Fort Meade, Reagan issued 
a National Security Decision Directive intended to monitor 
information in databases—both in- and outside government 
—that fell into the vague category of “sensitive, but 
unclassified, government or government-derived 
information.” This caused a minor firestorm, and eventually, 
the NSA’s congressional nemesis, Representative Jack 
Brooks of Texas, gave the agency a tongue-lashing: “The 
basement of the White House and the back rooms of the 
Pentagon,” he said in a hearing, “are not places in which 
national policy should be developed.” Eventually, the 
government backed down. 


The experience led some in Congress, urged by frantic 
lobbying from civil liberties groups, to create a law that 
would set boundaries for the government in the computer 
age. In what was an unusual act of independence from the 
demands of an intelligence agency, Congress in 1987 
passed the Computer Security Act, which specifically 
turned over the responsibility for securing the nation’s 
computer infrastructure—particularly in recommending the 
standards to which industry would adhere—from the NSA 
to the National Bureau of Standards (which was about to 
take on the higher-tech appellation of National Institute for 
Standards and Technology). 


Why did Congress flout the spooks? True, the civil 
liberties groups had lobbied hard. But more to the point, 
says Marc Rotenberg, who was then a staffer for Senator 
Patrick Leahy, “U.S. business didn’t particularly like the 
NSA setting the standards. The NSA’‘s concerns about 
computer security are not the concerns that businesses 
face—they weren’t worried about the Kremlin, they were 
worried about their competitors.” 


Bolstered by industry support, the lawmakers moved fast 
and the NSA was caught flat-footed. Not even an 
appearance by then-NSA director General William E. Odom 
could stop the bill. His complaint that shifting security 
responsibilities to the civilian agency would be an 
unnecessary “duplication” of functions really missed the 
point: industry preferred that the Commerce Department, 
and not the spies, set standards for the national computer 
infrastructure. As one NSA official later wrote in a memo, 
“By the time we fully recognized the implications... 
[Brooks] had it orchestrated for a unanimous-consent voice- 
vote passage.” 


Of course, The Fort was not shut totally out of the process 
of securing the nation’s computers. As the undisputed 
world capital of crypto, it had invaluable expertise in 
computer security, and Congress outlined an advisory role 
for Fort Meade to NIST. The question was, how would the 
two work together? In negotiations to determine that, the 
NSA sat across the table from the acting director of NIST, a 
bureaucrat named Raymond Kammer. Not only was 
Kammer sympathetic to the National Security Agency, he 
was actually the son of two of its veterans! The official 
Memorandum of Understanding reached between the two 
agencies did preserve the concept that NIST would take the 
lead in establishing standards, but formalized an NSA role 
as well. In “all matters related to cryptographic algorithms 
and cryptographic techniques,” said the memo, NIST would 
solicit the NSA’s help. To implement this, the two agencies 
would work through a “technical working group.” Though 
NIST was supposedly in charge of the process, it would not 
hold a majority presence in the group, which consisted of 
three people from each agency. 


Though both agencies insisted that NIST was really in the 
driver’s seat, skeptics suspected otherwise. Even with its 
zippy new name, NIST was the nerdy Mr. Peepers of 
government agencies, suddenly thrust into the center ofa 
huge political and national security battle. At least one high- 
ranking official of the agency later admitted that NIST not 
only hadn’t sought the powers granted by the Security Act, 
but it didn’t want them once the bill was passed. “It put us 
in charge of what we didn’t want to be in charge of,” he 
says. 


The skirmishes over the digital signature standard 
seemed the ultimate proof that NIST was pretty much Fort 
Meade’s stooge. In the years to follow, investigations would 
bear this out; one General Accounting Office report 


concluded that, contrary to congressional intent, “NIST 
follows NSA‘s lead in developing certain cryptographic 
standards.” Declassified documents outlining the 
discussions in the monthly meetings of the two agencies’ 
technical working group clearly illustrated this. At every 
step, the NIST people seemed to be waiting for the NSA‘s 
verdict on the signature issue. 


Even NIST’s own oversight group, the Computer System 
Security and Privacy Advisory Board, had serious problems 
with the relationship between the two agencies. In March 
1992, it determined that “a national-level public review of 
the positive and negative implications of the widespread 
use of public and private key cryptography is required.” But 
the NSA wanted no part of a discussion or review, and 
squelched that idea. In a classified memo, the new NSA 
head, Admiral Mike McConnell, put it bluntly: “The National 
Security Agency has serious reservations about a public 
debate on cryptography.” 


Still, the government was beginning to feel some heat. 
Once again, Representative Jack Brooks held hearings. 
They featured scorching testimony by the NSA‘s critics. 
Nathan Myhrvold of Microsoft testified that “the 
government’s late publication of its proposed signature 
standard, together with its serious technical flaws ... made 
it impossible for the computer industry to adopt the 
government standard for commercial use.” Addison Fischer, 
an early RSA Data Security investor who used the 
company’s algorithms in the mainframe computer products 
of his eponymous company, invoked a powerful metaphor 
that would reappear in crypto debates to come: 
“Cryptography, especially public key cryptography, is 
entering the mainstream,” he said. “It is simply another ofa 
long line of technological genies which is exceedingly 


useful, and which cannot be put back into the bottle—even 
if there may be some unpleasant side effects.” 


All of this criticism, of course, was music to Jim Bidzos’s 
ears. While he had become a crusader for the free rein of 
crypto, his main goal had always been strengthening his 
company. If the pressure on the government continued— 
and he kept threatening to exercise the Schnorr patent to 
fight the government’s candidate—he figured that 
eventually the standards process might go his way, and RSA 
technology would at least win approval as the official digital 
signature standard. 


And then, astonishingly, the feds caved. Or at least 
seemed to. 


As Bidzos tells it, the government finally concluded that 
its own standard would fail not on crypto grounds but on 
patent grounds. At a June 1993 meeting at the Commerce 
Department, a NIST lawyer said the words Bidzos longed to 
hear: “We want to work with you.” While Bidzos and his 
attorneys sat stunned, the official continued. “Why don’t 
you make us a proposal for a licensing situation if you want 
to be compensated?” 


Bidzos said he would get back to them in writing. And a 
negotiation began, with the government offering an 
amazing financial concession to Public Key Partners: an 
exclusive patent on the government’s algorithm, the DSA. 
The United States would use the DSA as its standard, and 
would pay PKP a royalty fee. It was estimated that this 
could be as high as a dollar a user. Since millions of dollars 
would potentially come from this—every citizen would use 
this standard to communicate with the government, in 
everything from making contracts to filing IRS returns— 
there was a huge incentive for Bidzos to accept. So he did. 


In this sense, he was acting on behalf of his company’s 
bottom line and against the interests of the general public. 
After all, his company would now be party to the use of the 
NSA’s product as a standard, an algorithm Bidzos himself 
had gleefully trashed in public. 


Some people began to question whether RSA’s strategy of 
protecting crypto by patents was itself a path that retarded 
the progress of computer privacy. Maybe Bidzos was in 
league with the spooks. After all, as one observer noted, 
“One of the purposes of the patent system is to cause 
technology to be exploited. ... Public key cryptography was 
invented almost twenty years ago, and yet is not yet in 
widespread use. A visit to the supermarket checkout 
counter reveals no digital signatures. Why not?” 


But the deal would never be closed. In its haste to 
eliminate a nasty patent battle, the government 
underestimated the outrage that would come from its 
abandoning a commitment to make the algorithm royalty- 
free. When the government solicited comment on the deal, 
the criticism was withering. Critics called it a $2 billion 
giveaway to Public Key Partners. The Canadian government 
and the European Commission indicated that they wouldn’t 
pay the royalties, and to hell with the patents claimed by 
the United States government. It was a revolt that the 
government didn’t need. So NIST reneged on its offer to 
Bidzos, and reaffirmed that whatever standard it chose, it 
would be royalty free. And so, once again, it was back to 
square one on the digital signature standard. 


Bidzos was philosophical about the turnaround. He did 
regret losing all that potential cash. But with the plan killed, 
Bidzos could once again take the side of the angels, a foe of 
a government that wanted to crush individual privacy, even 
if it meant impoverishing American software companies. 


In any case, the bickering over the signature standard 
was to continue for another year. It wasn’t until October 
1994 that NIST finally made its choice. It chose to dismiss 
the patent issue, ignore the overwhelmingly negative public 
response, and endorse the DSA as its own candidate as the 
official standard for digital signatures. “NIST reviewed all 
the asserted patents and concluded that none of them 
would be infringed,” it stated in a fact sheet. (To assure 
those who still had qualms, the agency took the 
extraordinary step of assuming liability for anyone using the 
standard who might later be sued for patent infringement.) 
While NIST made some beneficial technical changes from 
its original proposal, most notably extending the key length 
from 512 to 1024 bits, essentially the result was an 
authentication system created in secret by the government 
intelligence agency, one that virtually no one in industry 
had found attractive enough to adopt. This instead of a 
system already implemented by Microsoft, Apple, IBM, and 
Novell. Is it any wonder that years later, the digital 
signature standard would still be an orphan—and that in 
the midst of an electronic boom, there would exist no 
universal means of authenticating e-mail? 


The funny thing is, as NIST scientist Lynn McNulty later 
said, “We thought that the digital signature would be the 
easy one.” But as contentious as it was, the battle over 
signatures was only a warm-up for the main event in the 
cryptography war: the war over encryption. 


crypto anarchy 


When Phil Zimmermann began his cryptography 
adventure, he had no idea that he would end up both hailed 
as a folk hero and investigated for violations of federal law. 
He acted out of scientific curiosity, a hobbyist’s passion, and 
a bit of political paranoia. Born in 1954, and raised in 
various Florida towns, he was a self-described nerd, “not 
naturally a party guy.” An odd, awkward duck. His father 
was a truck driver; both parents were alcoholics. He 
wanted to be an astronomer. In the fourth grade, though, 
he became captivated by codes. A Saturday afternoon 
Miami television show called M.T.: Graves and the Dungeon 
had a kids’ club. Members were sold a physical “key” to 
unscramble a secret code. During the show, a series of 
numbers were flashed on the screen and club members 
could use the key to translate them into magical, clear 
messages. Zimmermann never sent in the money to buy the 


key, but he jotted down the numbers anyway—and managed 
to decode them into plaintext. To an only child in a troubled 
family, transforming such gibberish into something familiar 
gave a sense of mastery, of belonging. A sense of an 
organized home. 


No wonder Zimmermann sought to learn more about 
ciphers. He found a book by children’s author Herbert S. 
Zim called Codes and Secret Writing. Published by 
Scholastic and directed at ten- to twelve-year-olds, this thin 
volume straightforwardly conveyed the excitement of 
cryptography, almost as if its author were a senior 
intelligence executive instructing a bright, though green, 
recruit. “The idea of this book is not to give you codes to 
copy but to help you invent your own codes—not one or two 
but, if you like, hundreds of codes,” wrote Zim. “How you 
use your knowledge of codes is, of course, up to you.” 


The book became Zimmermann’s Bible. He faithfully 
attempted all its exercises, such as making invisible ink out 
of lemon juice, creating original ciphers, and, of course, 
cracking the encoded messages presented in the book. A 
couple of years later, in junior high, a friend boasted ofa 
code he’d made up and Zimmermann accepted the 
challenge of breaking it. “Make sure it’s a long message,” 
Zimmermann told the kid, who complied, foolishly thinking 
that a longer message would be harder to crack. The 
message was written in runic-style symbols, vaguely 
evocative of the languages of Tolkien’s Middle Earth. 
Zimmermann did a frequency analysis, an elementary 
technique of cryptanalysis that simply involves counting 
how often alphabetic letters appear. This enabled him to 
solve it like a garden-variety cryptogram. All to the 
amazement of his buddy. 


His interest in codes waned during his teenage years, and 
it wasn’t until he was in college, at Florida Atlantic 
University, that Zimmermann realized computers could be 
cryptographic tools. Though he was majoring in physics, he 
wound up spending a lot of time in the computer room, at 
first doing course-related work, but eventually just drinking 
in the elixir of programming itself. The appeal was creating 
one’s own world in the machine. “You could interact with 
something that wasn’t a living thing but seemed to be like 
one,” he says. Best of all, he was good at it, in contrast to 
his physics abilities. His nemesis: calculus. 


Though he began programming his first week at college 
in 1972, he didn’t actually see a real computer for a year, 
because his school only had terminals connected to distant 
machines. After all, Florida Atlantic wasn’t MIT or Stanford. 
Not even a big state school. Zimmermann became a student 
assistant, teaching others to use the terminals. And after his 
second year, he dropped physics for computer science. 


He rediscovered his passion for ciphers in that computer 
room. One of his experiments involved writing his own 
secret code, using the now-antiquated FORTRAN computer 
language. His scheme used random number functions to 
substitute each character in a plaintext message with a 
different character. The random number function was 
keyed with a password. Because his code couldn’t be 
broken by frequency analysis (the randomizing function 
would change a “t” early in the message to one thing and 
subsequent “t’s” to different characters), Zimmermann 
figured that not even the CIA could break it. He’d never 
imagined techniques like chosen plaintext attacks, or 
deconstructing random number generators. (And he’d 
never heard of the NSA.) As it was, years later he would 
encounter that same “unbreakable” cipher, presented in a 
student homework assignment as a cipher that could be 


easily broken with basic cryptanalytic techniques. “So much 
for my brilliant scheme,” he says. 


In the summer of 1977, with only one course to go before 
graduation and already employed at a minicomputer 
company in Fort Lauderdale, Zimmermann came across the 
Mathematical Recreations column of Scientific American, 
and found something that blew his mind. It was, of course, 
Martin Gardner’s description of public key and the RSA 
algorithm. He was hungry to know more. Out of the blue, he 
called Ron Rivest at MIT and asked him about the 
possibilities of implementing the system on a computer. 
Rivest told him that in the course of experimenting, the MIT 
group had already done that in LISP a tony computer 
language used for artificial intelligence work. “That’s out of 
my reach,” said a disappointed Zimmermann, who had 
never had access to the flashy LISP machines; they were 
luxury items costing $100,000 and geared for research, not 
practical tasks like accounting. Though high-level 
arithmetic wasn’t his strong point, Zimmermann 
understood that the odds of getting a LISP box at Florida 
Atlantic University approached infinity to one. He 
wondered, however, whether he could do RSA on one of 
those cheap new microcomputers. That would be different. 
Zimmermann had a partial share in one of the clunky low- 
cost machines of the time—it ran on a Zylog Z-80 processor, 
sort of the Model A of the mid-1970s. But as he thought 
about implementing RSA, he realized that he had little idea 
of how to do some of the extended arithmetic routines 
explained in the MIT paper. So he didn’t try. 


There were other things happening in Phil Zimmermann’s 
life then. The same year he discovered RSA, he married his 
girlfriend Kacie Cavenaugh, who worked on the college 
switchboard. Not long afterward, the young couple visited 
friends in Boulder, Colorado, and fell in love with the area. 


Zimmermann returned to his Florida job but began 
planning for a move, and a year later he and Kacie packed 
up their Volkswagen Rabbit and drove to the Rockies. He 
got a job at a software company making workstation word 
processors, and began raising a family: their son was born 
in 1980. And then he heard Daniel Ellsberg speak ata 
nuclear freeze rally in Denver. 


In high school, Phil Zimmermann had pretty much 
ignored Vietnam, but at Florida Atlantic he had come to 
adopt a passive but heartfelt antigovernment stance. The 
Nixon scandals had opened his eyes to how brazenly the 
government could lie. By the time of Ronald Reagan’s 
presidency, he had totally soured on politics. He read 
Robert Scheer’s With Enough Shovels, and worried about 
nuclear annihilation. Zimmermann and his wife decided to 
move to New Zealand, the better to avoid the coming 
holocaust. They went so far as to acquire passports and 
immigration papers. (He had yet to learn that there wasn’t 
much of a computer industry in New Zealand.) And then he 
attended the 1982 rally where he heard Ellsberg, who, 
after his famous moment as the emancipator of the 
Pentagon Papers, had become a leading antinuclear activist. 
Zimmermann was galvanized. From that point on, he forgot 
about emigrating and decided to become active himself—to 
stay and fight. 


He and some friends were starting a company they called 
Metamorphic Systems, and they planned to produce a 
circuit board for Apple computers that would run Intel- 
compatible programs. But Zimmermann still found time to 
dig into every book he could find on NATO policy, weapon 
systems, and the like. He would spend hundreds of dollars 
at a bookstore and tear through the volumes. Then he 
began teaching military policy at the Free University in 
Boulder. He spoke at nuclear freeze rallies and advised a 


couple of candidates for Congress. Twice he was arrested at 
rallies, once at the Nevada nuclear testing range, alongside 
his heroes Ellsberg and Carl Sagan. (Neither arrest 
resulted in any charges filed.) 


But as the eighties moved on, the nuclear freeze 
movement seemed to lose steam. Metamorphic Systems 
wasn’t doing well either: once the IBM PC became 
dominant, the idea of putting Intel processors into Apple II 
computers seemed kind of ridiculous. Zimmermann himself 
was a bit lost. But then, everything changed with a single 
phone call from a programmer in Arkansas who had a 
scheme few people could appreciate more than Phil 
Zimmermann. 


The guy’s name was Charlie Merritt, and it turned out 
that he was actually doing the thing that Zimmermann had 
dreamed of since reading Martin Gardner’s column in 
1977: he was implementing an RSA public key 
cryptosystem on a microcomputer. Merritt had experienced 
a similar reaction to Zimmermann’s when he’d read about 
the work of the MIT researchers. Moving from his native 
Houston to Fayetteville, Arkansas, he started a company 
with several friends and they actually managed to create a 
public key program running on Z-80 computers. It ran very 
slowly, but it worked. But no one seemed to want to buy it. 
After a while, his friends dropped out, and Merritt, with his 
wife Hobbit, began selling the program themselves. 
Eventually news of their tiny enterprise reached the 
multibillion-dollar intelligence operation in Fort Meade. 
Periodically the NSA would send its representatives to 
Arkansas to warn Merritt of the dire consequences that 
might ensue if he sent any encryption packages out of the 
country. Since Merritt Software’s customers were largely 
overseas companies that wanted encryption to circumvent 
the peeping thugs of corrupt regimes, this restriction 


virtually shut the company down. To try to get some 
domestic leads, Merritt was reduced to calling obscure 
companies he’d read about in computer magazines, hoping 
they would package his program with their stuff. That was 
how he found Metamorphic and Phil Zimmermann. 


When Zimmermann heard what Merritt was up to, his 
excitement was so over the top that Merritt suspected a 
practical joke was being played on him: no one he’d ever 
met had been so nuts about encryption. Zimmermann told 
Merritt all about his own passion for crypto, about M.T 
Graves and the Dungeon and Herbert Zim and Ron Rivest. 
He professed his hatred for Big Brother. But mostly, he 
wanted to know everything Merritt had learned about 
making RSA work on a personal computer. 


Now that he knew it was possible to do so, Zimmermann 
became driven to write his own public key encryption 
program—for the people. Whereas his previous efforts in 
crypto had been solely performed as neat hacks, and as an 
expression of his passion for codes in general, he now was a 
sophisticated political activist who had twice been dragged 
off to a holding pen for asserting his opinion. He now 
understood that in the computer age, government had an 
extremely powerful tool for monitoring dissent: electronic 
surveillance. Not only could Big Brother types stick their 
collective ear into phone conversations, but they could 
pluck the increasingly popular e-mail messages out of the 
digital ether and read business plans and shameful secrets 
to their black, black hearts’ content. While electronic mail 
was a terrific thing, it actually represented a step backward 
in privacy: even with relatively insecure physical mail, 
people had sealed envelopes to protect the privacy of their 
messages. What Zimmermann hoped to produce was the 
electronic equivalent to sealed envelopes. But if you gave 
people a crypto program to protect e-mail, you’d have 


something much better than sealed envelopes. If people all 
agreed to use it, he thought, it would be a form of solidarity, 
a mass movement to resist unwanted snooping. Right on, 
baby! 


Understanding the speed limitations of public key, 
Zimmermann figured that his program should be a hybrid 
cryptosystem, using the slow public key RSA protocols to 
exchange keys and some other, speedier algorithm to 
perform the bulk encryption of the actual message. He was 
unaware of Lotus Notes, which was already implementing 
such a hybrid system, and was certainly in the dark about 
RSA Data Security, Inc., which was going to base an entire 
business on licensing public key for the kind of systems 
Zimmermann thought he was himself pioneering. (Neither 
did Zimmermann have a clue about the RSA patents.) In 
any case, neither of those firms had a shipping product in 
1984. 


Zimmermann did understand several things correctly: A 
useful program should run not just on a single brand of 
computer, but on all sorts of machines. To do this, it had to 
be written in a computer language that was amenable to all 
sorts of different processors, and as any programmer knew, 
the language that best satisfied that requirement was 
called C. Fortunately, Zimmermann knew C inside out. The 
program also had to be easy to use. And its circulation had 
to be so widespread that a near-ubiquity could quickly be 
realized. Thus it would benefit by the Network Effect. 


Charlie Merritt was a holdout who still hadn’t tackled C, 
but he was strong in an area where Zimmermann was sadly 
deficient: the complicated mathematics that enabled one to 
work with the huge numbers required by RSA. This was 
particularly important in implementing RSA on a personal 
computer, which used 8-bit “words” in its calculations: it 


was a Challenging process to apply those relatively small 
numbers in a way that could process the mighty numbers 
that RSA demanded—512 bits, 1028 bits, and even more. If 
you didn’t do it efficiently, the program would run so slowly 
that no one would ever use it. 


Though no immediate business deal came of Merritt’s call 
to Metamorphic, he and Zimmermann became constant 
telephone correspondents, with Zimmermann soliciting all 
of Merritt’s knowledge of multiprecision arithmetic 
functions. It was such a complicated process that eventually 
they decided that Merritt should come to visit Zimmermann 
in Boulder for a sort of arithmetic boot camp, in November 
1986. 


It was an action-packed week, and not only because of the 
math that Zimmermann learned. Merritt was working on a 
project for the navy, producing a conventional cipher; he 
taught it to the younger man. The project had been 
subcontracted to Merritt by a company for whom he’d been 
consulting: RSA Data Security. Before he flew to Boulder, 
he’d called the company’s new president to ask if they 
might meet in Colorado, a place that was a sight easier to 
get to than Fayetteville, Arkansas. Jim Bidzos agreed. 


Bidzos had been looking forward to a testosterone- 
charged get-to-know-you dinner with Merritt—two guys ina 
steak house lighting cigars and swapping lies. Instead he 
found a third wheel was included, Zimmermann. And 
instead of a steak house, they wound up at The Good Earth, 
a brightly lit emporium of salads and grains. 


The actual conversation at the restaurant would become 
a matter of dispute. Jim Bidzos later said he had been 
startled when Phil Zimmermann spoke of his plan to create 
a program that used RSA’s proprietary protocols. In fact, 


RSA had a similar program, and Bidzos had brought along 
two copies. This was Mailsafe, written by Rivest and 
Adleman, two guys who by now had more math and 
cryptography knowledge in their little fingers than 
Zimmermann had managed to glean from Merritt in two 
years. Zimmermann, however, would claim that Bidzos was 
impressed with his plans, so much so that he offered the 
programmer a free license to the RSA algorithm. Bidzos 
would later vociferously deny making any such offer. 


In any case, Zimmermann saw no reason to change his 
own plans, and he spent the next few years furthering his 
didactic education on cryptography so he could complete 
his own encryption program. He wrote up some of his ideas 
in a paper that was published, to his pride, in IEEE 
Computer, a well-regarded computer-science journal. Not 
bad for a kid from Florida Atlantic University. 


Then he began working on the actual program. One 
crucial step was producing the bulk encryption algorithm 
that would perform the actual encoding of message 
content. Eschewing DES and the RSA-owned RC-2 standard 
devised by Ron Rivest, he attempted the risky course of 
producing his own cipher. It was based on the one that 
Charlie Merritt had taught him, the cipher Merritt had 
produced for the navy. But Zimmermann toughened the 
system by introducing multiple rounds of substitution. As he 
refined his concept, he recalled a Dan Aykroyd routine from 
the original Saturday Night Live television show. Portraying 
a fast-talking late-night huckster, Aykroyd hawked a 
blender so powerful that you could throw a fish into it: the 
liquefied output would be a healthy juice (yum). This was 
the Bass-O-Matic, a perfect name, Zimmermann figured, for 
an encryption algorithm. Any cryptanalyst who confronted 
his scrambled messages would be as ineffectual at 
reconstructing them, he hoped, as someone attempting to 


reconstitute a silvery, flopping fish from the noxious goo 
emerging from the Bass-O-Matic blender. 


Zimmermann went on to other problems, and pieces fell 
into place—message digests, interface, and a range of 
protocols. But after months and months of work, all he 
really had were separate components that still weren’t tied 
together into a working program. “It took a lot more work 
to put them together,” he says. By 1990—six years after 
first talking to Charlie Merritt and four years since Merritt’s 
visit to Boulder—Zimmermann realized that in order to 
finish he would have to make a total gung-ho commitment, 
even if it meant having to tighten his budget, cut out the 
consulting, and spend less time with his family. He 
embarked on a full-time regimen of programming. 


Zimmermann had dreamed up a name for his work in 
progress, though not one as irreverent as Bass-O-Matic. 
Zimmermann had been an early devotee of the Macintosh 
computer, and had experimented with a simple data 
communications program when none had existed. Thinking 
of “Ralph’s Pretty Good Grocery,” an imaginary sponsor 
from Garrison Keillor’s A Prairie Home Companion radio 
show, he had called it “Pretty Good Terminal.” This gave 
him the idea for the name of his crypto program: Pretty 
Good Privacy. He never really considered that it might 
become a major brand name. But then, his marketing plans 
were vague. He did hope to make some money selling PGP 
but figured on a modest amount using shareware rules, 
where people would download the program and pay him on 
the honor system. 


For the next six months, Zimmermann worked twelve- 
hour days in a bedroom of his house, which he almost lost 
because he didn’t have the money to make the mortgage 
payments. Maybe, he figured, if he finally finished PGP and 


released it, enough users would send him money to get him 
back on his feet. As the software got closer to completion, 
he called Jim Bidzos to see if they could finally clear up the 
intellectual property issue that the RSA chief had brought 
up during that ill-fated dinner. Zimmermann explained his 
product and asked for a go-ahead to use the RSA algorithm. 
Bidzos was appalled at the request: this guy thinks we'll 
just give him our crown jewels? Maybe instead of asking for 
handouts, he suggested, Zimmermann should develop his 
product for some company rich enough to get a standard 
RSA license. 


The whole conversation was so out of line with 
Zimmermann’s vision for his product—and the dim view he 
took of the high-powered business world—that he basically 
ignored the whole problem and went back to work. 


By early 1991, Zimmermann was making progress toward 
a working product. Then something happened to change his 
course—and to make PGP famous. The unlikely agent in this 
shift was U.S. Senator Joseph Biden, the head of the Senate 
Judiciary Committee and a cosponsor of pending 
antiterrorist legislation, Senate Bill 266. In a draft of the bill 
introduced on January 24, Biden inserted some new 
language: 


It is the sense of Congress that providers of 
electronic communications services and 
manufacturers of electronic communications 
service equipment shall ensure that 
communications systems permit the 
government to obtain the plaintext contents of 
voice, data, and other communications when 
appropriately authorized by law. [Emphasis 
added. |] 


A poison needle in a haystack of clauses and 
qualifications, this passage originally escaped scrutiny. But 
its appearance was no accident. The language of the bill 
had been forged with the help of law enforcement agencies. 
That sentence was included at the explicit request of the 
FBI. And what a sentence it was! It plunged a virtual 
dagger into the heart of the crypto revolution. How could 
tech companies and services promise to deliver the 
plaintext contents of encrypted texts—the original 
messages meant to be read only by their intended 
recipients—if people scrambled them with programs like 
Mailsafe, Lotus Notes, and PGP? Logically, the only way that 
the “sense of Congress” could be satisfied would be a ban 
on any encryption except that equipped with “trapdoors” 
that the manufacturers and services could flip open at the 
demand of the feds. 


It wasn’t until April 1991, however, that the crypto 
community itself learned of this legislative time bomb. A 
consultant who had done work for the NSA revealed the 
offending clause on various Internet bulletin boards, along 
with apocalyptic commentary: “Are there readers of this list 
that believe that providers of electronic communications 
services can reserve to themselves the ability to read all the 
traffic and still keep the traffic ‘confidential’ in any 
meaningful sense? ... Any assertion that all use of any such 
trapdoors would be only ‘when appropriately authorized by 
law’ is absurd on its face... . Any such mechanism would be 
subject to abuse.” The message ended with a warning that 
would galvanize Phil Zimmermann: “I suggest you begin to 
stock up on crypto gear while you can still get it.” 


To Zimmermann, S. 266 was the ultimate deadline. If he 
didn’t get PGP out into the world now, the government 
might prevent its very existence. At least for the time being, 
domestic crypto was legal. So Zimmermann decided to 


finish up the first version of PGP quickly and get it out to as 
many people as possible. He also gave up his financial 
hopes for PGP. Instead of releasing it as shareware, he 
designated it “freeware.” This meant not only that the 
software didn’t cost anything, but also that users could 
themselves distribute it far and wide to others with the 
blessing of its creator. 


Fortunately, a medium existed that made it easier than in 
any time in history to circulate an encryption system like 
PGP: the Internet. In 1991, the formerly government-owned 
computer network was just beginning its meteoric rise to 
ubiquity. Thousands of discussion groups abounded, and 
millions of files were downloaded every day. The majority of 
users at the time did not yet reflect the public at large— 
most were very computer savvy, and a lot of them were 
outright nerds. But these were exactly the types of people 
who would respond to PGP, which, despite Zimmermann’s 
best efforts, was still not as easy to use as MacWrite or 
Tetris. 


Oddly, at that time, Zimmermann himself was not much of 
an Internet devotee. He hardly knew how to use e-mail. In 
this sense he was still the outsider looking in. But in recent 
months he had begun a correspondence with a fellow 
crypto enthusiast in California, Kelly Goen, whom he had 
met through Charlie Merritt. In the month after the on-line 
call to action about S. 266, Zimmermann apparently gave 
Goen a copy of his PGP software so that it could be spread 
on the Internet “like dandelion seeds,” Zimmermann later 
wrote. On May 24 Goen e-mailed Jim Warren, a computer 
activist and columnist for MicroTimes, a Bay Area 
computer-oriented newspaper, and explained the purpose 
of flooding the networks with PGP. “The intent here,” wrote 
Goen, “is to invalidate the so-called trapdoor provision of 
the new Senate bill coming down the pike before it makes it 


into law.” In other words, if thousands of copies of PGP were 
in use, Senate Bill 266 would be rendered irrelevant; when 
confronted with PGP-encrypted files, the AT&Ts of the world 
would not be able to guarantee plaintext to G-men or 
spooks. 


On the first weekend in June, Jim Warren got a series of 
calls from Goen, who told him that PGP day had arrived. 
Goen was obviously intoxicated with the drama of it all, 
taking precautions that were more from the book of 
Maxwell Smart than James Bond. “He was driving around 
the Bay Area with a laptop, acoustic coupler, and cellular 
phone,” Warren later wrote in MicroTimes. “He would stop 
at a pay phone, upload a number of copies for a few 
minutes, then disconnect and rush off to another phone 
miles away. He said he wanted to get as many copies 
scattered as widely as possible around the nation before the 
government could get an injunction and stop him.” 


Apparently, Goen was also careful to upload only to 
Internet sites inside the United States. Of course, once a 
software program appears on a file server, anyone in the 
world can download it: Pakistani hackers, Iraqi terrorists, 
Bulgarian freedom fighters, Swiss adulterers, Japanese 
high schoolers, French businessmen, Dutch child 
pornographers, Norwegian privacy nuts, or Colombian 
drug dealers. Though not yet a cliché, an Internet slogan 
was already becoming a familiar refrain: On the 
Information Highway, borders are just speed bumps. 


How quickly did PGP leave the United States and find its 
way overseas, without as much as a howdy-do to the export 
laws? Instantly. Zimmermann would later marvel at hearing 
that the very next day people in other countries were 
encrypting messages with PGP. How could Zimmermann 
have avoided this potentially illegal passage of his program 


to distant shores? “I could have not released it at all,” he 
later said. “But there’s no law against Americans having 
strong cryptography.” And, after all, Phil Zimmermann 
engineered his sudden release of PGP not to circumvent 
export laws, but to arm his countrymen, the people who 
might be affected by Senate Bill 266. His motto, as 
expressed in his documentation to the program, was “When 
crypto is outlawed, only outlaws will have crypto.” 


Ironically, Joseph Biden’s offending language, the impetus 
for Zimmermann’s extraordinary step, met a much less 
enthusiastic response than PGP did. Senator Biden had 
been taken by surprise at the huge expression of public 
outrage (fueled by civil liberties groups) at the stealth 
antiprivacy language he had introduced. By June, he had 
quietly withdrawn the clause. But the incident left an 
unexpected legacy: hundreds of thousands of PGP- 
encrypted messages circulating throughout the world. 
Pretty Good Privacy had escaped from Phil Zimmermann’s 
hard drive and had now been cloned countless times. He 
could no more recall it than one could take back one’s 
words after they were uttered. 


Zimmermann was proud of PGP 1.0 though defensive at 
its shortcomings. Maybe it didn’t introduce any 
mathematical innovations. And maybe the coding was so 
disorganized that he felt compelled to apologize for it in the 
documentation. But it was one of the first really usable 
personal computer solutions for a complete cryptosystem, 
from digital signatures to encryption. “If you look at what 
was available at that time, there were only laboratory petri- 
dish versions of RSA,” he says. “One had been published in 
Byte; it took all afternoon to do an RSA calculation. Mine 
did that in a few seconds. I had brought together a practical 
implementation that had all the things you needed to do 


public key cryptography. It was a major event...it was a 
watershed event.” 


One person disagreed strongly: Jim Bidzos of RSA and 
Public Key Partners. When he saw PGP, he was outraged. 
This was no original product, he felt—Jook at Mailsafe—but 
a blatant rip-off of his company’s technology and patents. 
Why didn’t Zimmermann get honest and call it Pretty Good 
Piracy? Bidzos called the Colorado programmer and, 
literally screaming at him, demanded he remove the 
software from circulation. Despite all Bidzos’s previous 
animosity, Zimmermann was actually taken aback at this 
response: “I thought he would be delighted,” he says. He 
attempted to defend himself. He had done PGP for political 
reasons, not to challenge any commercial enterprises. After 
all, the Fortune 500 companies that were RSA’s potential 
customers don’t use freeware; they buy their software from 
companies that will back it up and support it. So what was 
the problem? 


Bidzos accused him of actually playing into the NSA’s 
hands—because anything that hurt his company was music 
to Fort Meade. 


Not long afterward, Bidzos had his lawyer put 
Zimmermann on legal notice that he was infringing on 
PKP’s patents. This worried Zimmermann, and he called 
Bidzos once again to try to make a deal. The basis of the 
agreement was simple: Zimmermann would not distribute 
his software with the RSA protocols, and Bidzos would not 
sue him. An agreement was indeed drawn up to that effect, 
and Zimmermann signed it. But each party had his own 
interpretation of that phone conversation. Bidzos felt that 
the deal compelled Zimmermann actually to kill PGP. 
Zimmermann insisted that he had only affirmed his 
understanding of a hypothetical agreement: ifhe stopped 


distribution of PGP, then he would not be sued. 
Zimmermann would also claim Bidzos gave him verbal 
assurances that RSA would sell licenses to PGP’s end-users 
so they could use the software without infringing on RSA’s 
patents. Bidzos denied those claims. 


It later became clear that Zimmermann’s interpretation 
of “distributing PGP” was somewhat narrow. By leaving the 
distribution to others, he felt that he was free to continue 
his involvement with the software. In fact, Zimmermann 
was supervising a second release of PGP this one with the 
help of some more experienced cryptographers. 


He’d realized that he needed help after a sobering 
experience at Crypto ’91 in Santa Barbara. His main 
mission had been to get a reading from the wizards there 
on the security of PGP. (Admittedly this task was overdue, 
considering that thousands of people were already using 
the program.) Right away, he ran into Brian Snow, one of 
the top crypto mathematicians at the NSA. Zimmermann, of 
course, was Curious as to whether the government was 
upset about PGP “If I were you, I would be more concerned 
about getting heat from Jim Bidzos than from the 
government,” said Snow. 


This puzzled Zimmermann—why wasn’t the government 
worried? Then he sought private comments on his program. 
After first getting a brush-off from Adi Shamir—the Israeli 
cryptographer told him to send the program to Israel and 
he’d spend ten minutes with it—Zimmermann got the 
attention of Shamir’s colleague at Weizmann, Eli Biham. 
They retreated to the UCSB cafeteria, scene of many a bull 
session and impromptu cryptanalysis at the annual 
conference. For Zimmermann, it was a long lunch in more 
ways than one; Biham quickly embarrassed the amateur 
cryptographer by uncovering several fatal flaws in Bass-O- 


Matic. The cipher was, for instance, vulnerable to a 
differential cryptanalysis attack. While not exactly a dead 
fish, the Bass-O-Matic was far from a prize catch. 


Zimmermann now realized that he could only truly 
improve PGP if he were to recognize his own limitations. His 
ultimate success at codemaking would come from realizing 
that he wasn’t really a great cryptographer. He was a 
knowledgeable packager and programmer who would need 
ace mathematicians and cryptographers to help him with 
the hard-core details. 


Fortunately, a lot of very smart people had been excited 
by the release of PGP 1.0. Instead of feeling burned by its 
weaknesses, they were eager to pitch in and fix them. Soon 
Zimmermann had recruited volunteers in New Zealand, 
Holland, and California to be his mainstay engineers. A 
casual collection of kibitzers also contributed advice and 
small pieces. Together they began work on version 2.0. 
Zimmermann was the chief designer, approving every 
decision, every line of the code, but he hid his role so that 
Bidzos wouldn’t think that he was abandoning his promise 
not to violate RSA’s patents. 


The result was PGP 2.0, an infinitely stronger product. 
Bass-O-Matic had been tossed aside (“Calling it that wasn’t 
too good an idea, anyway,” says Zimmermann. 
“Cryptography is something you can’t joke about”). In its 
place, Zimmermann chose a preexisting Swiss cipher called 
the International Data Encryption Algorithm, or IDEA. 
Written in 1990 by two celebrated cryptographic 
mathematicians, IDEA had quickly stood up to public 
scrutiny. Zimmermann felt the IDEA cipher was even 
stronger than DES, particularly with the 128-bit keys he 
recommended. “This is not,” he wrote in the 2.0 
documentation, “a home-grown algorithm.” 


Another crucial improvement came in an area that 
Zimmermann basically had ignored with PGP 1.0: key 
certification, the process by which public keys are 
authenticated. Certification is often seen as the Achilles’ 
heel of public key systems. The classic conundrum in such 
systems arises when Alice wants to send something to Bob. 
She scrambles it with Bob’s public key, and only Bob can 
unscramble it. But what if Alice has never met Bob—how 
does she get his public key? If she asks him for it directly, 
she can’t encode her request (obviously not, because she 
doesn’t have his public key yet, which she would use to 
encrypt the message). So a potential eavesdropper, Eve, 
could act as “a man in the middle,” and snatch that 
message en route. Then Eve, pretending to be Bob, could 
send her own public key to Alice, falsely representing it as 
Bob’s key. (This deceptive masquerade is known as 
“spoofing.”) If Alice is duped, she’ll encode her secret 
message to Bob with the key. Alas, Bob won’t be able to 
read anything scrambled with that key—only tricky Eve can. 
So much for the security of direct requests. 


What about the idea of publishing something like a digital 
phone book full of public keys? The forging problem 
persists, unless you have a certifiably secure means of 
protecting that book and assuring that the keys really do 
belong to their purported owners. Yes, it would require an 
extravagant effort to pull off such a fraud. But it’s possible, 
and as long as the vulnerability exists, any public key 
system has to figure out a way to get around this security 
hole. 


Many people have come to think that the answer lies in a 
large-scale “certification authority” to distribute and verify 
public keys. Such a center would be able to process millions 
of public keys. Using the certification authority’s own public 
key—presumably a key so well-circulated that no one could 


spoof it—you could securely query it to get someone’s key, 
or verify a public key someone sent you. Of course, such an 
ambitious solution was impossible for Zimmermann. He 
didn’t have the wherewithal, or money, to set up a closely 
monitored certification authority to distribute and verify 
public keys. So he had to come up with another method. 


His solution was quite ingenious, especially since it 
reflected the outsider sensibility that generally 
characterized his efforts. Instead of a central key authority, 
he envisioned the PGP community itself as an authority. 
“PGP allows third parties, mutually trusted friends, to sign 
keys,” explained Zimmermann in a 1993 interview. “That 
proves that they came from who they said they came from.” 
By “signing” keys, Zimmermann was talking about a 
technique whereby someone in effect attached his or her 
own public key to someone else’s, as a sort of stamp of 
approval. After you generated a public key, you’d get the 
key signed by people who knew you personally. These 
signings were to be performed face-to-face, to minimize the 
threat of spoofing. So if Alice knows Bob personally, she 
arranges to meet him, and physically hands him a disk with 
her PGP public key. Using his copy of PGP, Bob signs it with 
his own private key. (This is done simply by selecting a 
function in the software program and clicking the mouse.) 
He gives her back the signed key and keeps a copy for his 
own “public key ring,” a collection of signed keys that PGP 
users are encouraged to keep on their hard drives. Later, a 
third party, Carol, might want to communicate with Alice 
but doesn’t know her. So Carol seeks out Alice’s public key, 
either from her directly or from a bulletin board full of 
public keys. In the latter case, how does she know it’s really 
Alice’s? She checks to see who has signed the key—does it 
have the imprimatur of anyone she knows? Since Carol 
knows Bob—and has earlier received a verified copy of 
Bob’s public key—she can establish the veracity of his 


signature. If it checks out, that means that Bob has really 
met the person who holds this new key and is implicitly 
telling Carol, “Hey, it’s really Alice.” So Carol can be sure 
that Alice is who she says she is. At least to the degree she 
trusts Bob. 


This system—known as a “web of trust”—requires some 
judgment on the user’s part. After all, Carol can’t be sure of 
Alice’s identity unless she personally knows someone who 
has physically met her and signed her key. What if she 
doesn’t know anyone who’s physically signed it? Is it worth 
trusting a second-level verification? Maybe her friend Bob 
hasn’t signed Alice’s key, but he has signed a key of 
someone named Ted. And Ted has signed Alice’s key. 
Whether you'll trust that signature depends on Ted’s 
reputation: who are the people who have signed his key? As 
more and more people used PGP, some were bound to 
develop a reputation for being scrupulous in verifying the 
keys they sign. Seeing one of those trusted introducers on a 
key ring would be a strong assurance of authenticity. In any 
case, PGP allowed users to set what cryptographer Bruce 
Schneier refers to as “paranoia levels”: how many levels of 
separation you’re willing to accept, depending on the 
degree to which you trust various signers. 


With this web of trust, a stronger encryption algorithm, a 
better interface, and a number of other improvements, PGP 
2.0 was—unlike Zimmermann’s favorite weekend comedy 
show—ready for prime time. The informal team of 
programmers had even prepared translations of the 
interface in several languages, so people worldwide could 
use it from the day of release. In September 1992, two of 
Zimmermann’s helpers posted PGP 2.0 on the Net from 
their respective homes in Amsterdam and Auckland. This 
way, the program could be imported into the United States, 
violating no export regulations. In almost no time, the new 


version supplanted and exceeded the first one. “I got more 
mail in the month after the release than I had received the 
whole previous year,” says Zimmermann. “It was like 
lighting a match to dry prairie grass.” 


Jim Bidzos became, if possible, even angrier. He was 
particularly outraged at a contention of Zimmermann’s 
included in the documentation that came with every 
download of PGP Zimmermann claimed that Public Key 
Partners was ripping off the American public by making 
people pay for technology developed on the government 
dime. After Zimmermann’s attempts to cover himself with 
disclaimers (“The author of this software implementation of 
the RSA algorithm is providing this . . . for educational use 
only. ... Licensing this algorithm from PKP is the 
responsibility of you, the user, not Philip 
Zimmermann... .”), he launched into a long justification of 
his actions, claiming that he didn’t think he was infringing 
on any patents. He implied that by controlling the patents 
to public key cryptography, Public Key Partners 
—“essentially a litigation company,” he called it—was doing 
the NSA’s dirty work by denying crypto to the people! 
Finally, while not giving any assurances, he told potential 
users that they didn’t have much to worry about by 
violating PKP’s patent rights: “There are just too many PGP 
users to go after,” he wrote. “And why would they single you 
out?” 


“He’s misleading people, defaming us as a way of getting 
support for his own agenda,” said Bidzos in 1994. “There’s 
the evil government trying to deny you your right to privacy 
and the evil patent holders bent on ripping you and the 
government off—it’s not really clear who’s worse, but you 
can put them both off by using this software. He knew it 
was false.” 


Bidzos did have a point: RSA itself had already produced 
Mailsafe, an implementation of the public key patents. Both 
parties agree that during the contentious 1986 dinner 
meeting, Bidzos gave Zimmermann a copy of Mailsafe, but 
Zimmermann claimed he never tested the software or read 
the documentation because he’d already figured out how 
his product would work. “This guy says he was blown away 
by the invention of RSA,” says Bidzos. “We’re supposed to 
believe that he took software written by the people who 
invented it, his heroes, and never was curious enough to 
look at it?” 


Yet much of Bidzos’s fury was directed not just at 
Zimmermann’s actions but at the runaway popularity of 
PGP. Because it was free, available worldwide regardless of 
export laws, and had quickly attained a patina of coolness 
among the high-tech crowd, its usership quickly exceeded 
that of Mailsafe, and was now threatening to become an 
Internet standard. Despite not being an accomplished 
cryptographer with a Stanford or MIT pedigree, despite 
having virtually no sense of business or marketing, 
Zimmermann had done what neither the original world- 
class public key mathematicians nor the market-savvy 
Bidzos had succeeded in doing: create a bottom-up crypto 
phenomenon that not only won over grassroots users but 
was being described as the major challenge to the 
multibillion-dollar agency behind the Triple Fence. No 
wonder that by the end of 1992, Phil Zimmermann had 
gone from total obscurity to the hero of the crypto 
underground. “If I go to Europe, lIl never have to buy 
lunch,” he said. “I have a huge number of adoring fans.” 


Zimmermann’s do-it-yourself effort to create a crypto 
program and distribute it to the people—an effort 


consciously undertaken to circumvent government control 
—marked a new dimension in the ongoing battle between 
the NSA and the cryptographers who worked outside its 
reach. The agency had once felt that its voluntary 
prepublication compromise with academics had mitigated 
much of the potential damage of that community’s 
emergence. (And with the troublesome First Amendment in 
play, there was little choice in the matter.) Fort Meade’s 
minions were also fending off the commercial threat to its 
dominance by budging only slightly on the export situation. 


But it was getting harder to convince people that it made 
sense to control cryptography. It was becoming increasingly 
clear that this was not a weapons technology but one that 
might fit in as a common artifact of everyday life. All those 
millions who used Lotus Notes were already aware of its 
benefits. Those with garden variety e-mail were shocked to 
find that basic protections just weren’t there—sending mail 
on the Internet seemed secure but was actually one step 
removed from broadcasting. And as more people began 
using cellular phones, for instance, they wondered why it 
was that their calls could be so easily monitored by any 
wirehead who plunked down a hundred dollars for a 
scanner. Even the Prince of Wales had his cell calls to his 
mistress intercepted, with the whole world now chuckling 
at endearments he uttered to her, endearments that were 
intensely personal (OK, they involved menstruation 
supplies). In a world of highly evolved communications, why 
shouldn’t everything be protected? Even the National 
Football League figured this out: it used crypto to encode 
the radio signals sent from coaches in the observation 
booth to quarterbacks on the field. This was something 
anyone could understand. Here was something as 
straightforward as a means to prevent the Green Bay 
Packers from stealing the next play from John Elway... and 
we Called this national security? 


These were tough questions for a branch of government 
not used to answering any questions at all. But the 
questioning was about to become more intense as a new 
force, in part inspired by Zimmermann, now came into play: 
cryptoactivism. Strong cryptography distributed on the 
Internet—and a revolutionary movement built around 
producing and distributing strong codes—seemed on its 
face a fringe activity. But with the crypto controversy 
heating up, it turned out that the time was ripe for a small 
movement to apply leverage. 


So it seemed to two crypto enthusiasts who hatched an 
idea for a group that would be outside even the outsiders in 
the battle for cryptography. The concept developed 
spontaneously when Eric Hughes, a young mathematician 
living in the north Bay Area and thinking of moving down 
the California coast, visited his friend Tim May in Santa 
Cruz to do some house hunting. 


Hughes and May were an interesting combination, bound 
by scientific passion, political libertarianism, and a slightly 
unnerving paranoia. (Hughes liked to joke about this, citing 
an unknown philosopher who supposedly said, 
“Cryptography is the mathematical consequence of 
paranoid assumptions.”) Both cut striking figures, 
eschewing a math-nerd look for the frontier garb of the Old 
West: crypto cowboys. Hughes was often seen in a felt 
Stetson. 


At forty, May was a physicist who had retired from Intel 
seven years earlier with a bundle of stocks. His major 
contribution at the semiconductor giant had been his proof 
that quantum events—the meanderings of subatomic 
particles—could affect the calculations performed by 
semiconductor chips. May’s discovery allowed Intel’s 
designers to devise strategies to deal with this problem, 


enabling the steady progress of Moore’s Law. Outside of 
technology, May was an advocate of libertarianism, as 
opposed to government restrictions. “I got converted by 
reading Ayn Rand as a kid,” he says. “I would write 
polemics about natural rights in class.” As an adult he 
posted such polemics—intentionally provocative and highly 
entertaining rants—to Usenet groups, and his hard-core 
advocacy of unbridled cryptography had earned him an 
edgy reputation. A slim, bearded man who often wore an 
outback hat, he owned a small house cluttered with books, 
gadgets, and well-fed cats. 


A semilapsed Mormon from Virginia, Eric Hughes had a 
long, wispy light-brown beard, aviator wire-rimmed glasses, 
and a cold, sarcastic wit. Not yet thirty, he was brimming 
with attitude. But his cocky sureness was tempered with a 
steady intelligence that enabled him to understand both 
sides of an issue. He loved cryptography. He’d studied math 
at Berkeley, and worked for a company overseas for a while. 
Now, at the dawn of the Internet, he was figuring out how 
he could use codes to fortify the information age. His 
ultimate goal was combining pure-market capitalism and 
freedom fighting. In his world view, governments—even 
allegedly benign ones like the United States—were a 
constant threat to the well-being of citizens. Individual 
privacy was a citadel constantly under attack by the state. 
The great miracle was that the state could be thwarted by 
algorithms. “It used to be that you could get privacy by 
going to the physical frontier, where no one would bother 
you,” he said. “With the right application of cryptography, 
you can again move out to the frontier—permanently.” 


As radical as Hughes’s vision was, it paled in comparison 
to that of his Santa Cruz friend. When Tim May thought 
about crypto it was almost like dropping acid. In the 
computer age, we create “virtual regions,” he would say. 


And the conduits and pipes of the future, the very mortar 
and walls of those virtual spaces, could be held up by 
nothing but crypto. Oh, God, May would burst out when 
speaking of this vision, it’s so profound. There’s nothing 
else! One-way functions like the ones exploited by Diffie, 
Merkle, and Rivest were the building blocks of cyberspace, 
he insisted, and if we don’t use them we would be reduced 
to pathetic shivering creatures standing in the ashes of a 
virtual burned-out house. But with it, everything is 
imaginable. Secure conduits—untappable by the NSA!— 
from hackers in Los Gatos, California, to activists in St. 
Petersburg, Russia. Transactions beyond taxation. And an 
end to the nation-states. That was the coming revolution, 
according to Tim May. 


Such were the topics discussed in May 1992 during Eric 
Hughes’s house-hunting visit to Tim May. There was so 
much to talk about that the conversation lasted for three 
days. “We’d get up in the morning and just keep chatting 
and chatting and I wouldn’t get anything done about 
looking for a house,” says Hughes. “And we’d go out to 
lunch and come back and keep going. It just went on and 
on.” By the end of the visit—not surprisingly, Hughes had 
made no progress in finding a house and went back to his 
shared crashpad in Berkeley—they agreed to organize a 
loose confederation of those with similar views. Not to sit 
around and bullshit, but to actually produce, a la 
Zimmermann, the tools that would arm the general public 
against cyberthieves, credit bureaus, and especially the 
government. 


In the next few weeks, they enlisted the aid of some 
influential figures in the antigovernment crypto community. 
One forceful ally was thirty-seven-year-old John Gilmore, a 
gentle computer hacker with long thinning hair and a wispy 
beard (when he stood beside Eric Hughes, the two of them 


looked like a geeky version of the cough-drop-icon Smith 
Brothers). Gilmore had made a small fortune from being 
one of the original programmers at Sun Microsystems—he 
had been employee number five—but left in 1986. In 1990, 
along with Mitch Kapor and Grateful Dead lyricist John 
Perry Barlow, he’d founded the Electronic Frontier 
Foundation (EFF) to enforce civil liberties in the digital age, 
and had just started a new company called Cygnus Support, 
devoted to aiding users of free software. His hobby-horse 
was personal privacy. At a 1991 conference called 
“Computers, Freedom, and Privacy,” he delivered a speech 
that anticipated the thoughts of Mays and Hughes—a 
people’s crypto movement to stave off the government. 


What if we could build a society where the 
information was never collected? Where you 
could pay to rent a video without leaving a 
credit card or bank account number? Where 
you could prove you're certified to drive without 
giving your name? Where you could send and 
receive messages without revealing your 
physical location, like an electronic post office 
box? That’s the kind of society I want to build. I 
want to guarantee—with physics and 
mathematics, not with laws—things like real 
privacy of personal communications... real 
privacy of personal records... real freedom of 
trade ... real financial privacy ... [and] real 
control of identification. 


Gilmore was particularly interested in making sure that 
information about crypto found its way into the public 
domain. (He had been the one who had used the Internet to 
circulate Ralph Merkle’s fast-encryption paper after the 


NSA had asked Xerox not to publish it.) More recently, he 
had been trying to liberate four early cryptanalysis 
textbooks by the NSA’s legendary wizard William Friedman, 
filing Freedom of Information (FOI) requests to have the 
fifty-year-old works declassified. He even hired a Berkeley 
lawyer to help him negotiate the complicated process and 
file suit when government agencies did not respond within 
the specified legal time period. 


Not long after demanding the Friedman texts, Gilmore 
began an extensive bibliographic search for them on the 
Internet, using “know-bots,” which were automated 
intelligent search programs. The bots indicated that copies 
of two Friedman codebreaking works were publicly 
accessible, one in the Virginia Military Institute library, the 
other on microfilm at Boston University. Apparently at one 
time the government had lifted the restrictions on them, 
but in the Reagan era they had once again been classified. 
Gilmore immediately got friends to send him copies and 
notified the judge hearing his FOI appeal that the texts 
were on public library shelves. The government responded 
by notifying Gilmore that any further distribution of the 
Friedman texts would violate the Espionage Act, which 
mandated a possible ten-year sentence for violations. In 
other words, Gilmore could be sent to Leavenworth for a 
decade, just for taking a book out of the library and sharing 
it with friends. Gilmore not only notified the judge that his 
First Amendment rights were being violated, but told his 
story to a local reporter. 


Two days later, the government backed down, formally 
declassifying the two texts. But Gilmore persisted in asking 
for the other works, and requested that the judge declare 
the Espionage Act itself an unconstitutional suppression of 
free speech. When a reporter asked him if his stance might 
not weaken national security, he was unrepentant. “We are 


not asking to threaten national security,” he said. “We’re 
asking to discard a Cold War bureaucratic idea of national 
security which is obsolete. They’re abridging the freedom 
and privacy of all citizens, to defend us against a bogeyman 
that they will not explain.” 


Working with Gilmore (only later did Whitfield Diffie 
agree to participate as a sort of éminence grise), Hughes 
and May began planning a physical meeting of the 
proposed movement. Hughes was then calling the group 
CASI, or Cryptology Amateurs for Social Irresponsibility. 
Hughes and May prepared all summer, setting the 
invitation-only event for September 19, 1992, at Hughes’s 
house in Berkeley. Because the nature of the enterprise 
involved an implicit attack on the government’s most 
powerful spy agency, it was decided that discretion should 
be the watchword. 


The meeting exceeded everyone’s expectations. Unlike 
the Birkenstocked academics and rubber-necking spooks 
who met at the Crypto conferences, the twenty or so in 
attendance were people who saw cryptography totally 
outside the context of their own careers (if indeed they had 
one, as some did not). Their main concern was how people 
would and should use crypto tools. Their politics were 
heavily libertarian; more than a few were also self 
proclaimed Extropians, whose philosophy merged an 
extremist view of individual liberties with a loopy belief that 
the far fringes of scientific research would soon accrue to 
our benefit. (Topics that made Extropians giddy included 
nanotechnology, cyborgs, and cryogenics; some Extropians 
had signed up to have their heads posthumously frozen, to 
be thawed and revived in some distant century.) 


But it would be a mistake to misjudge this group by their 
peccadilloes or by the modest turnout at this first meeting. 


In fact, they would wind up becoming so influential that 
their grandiose fantasies would be vindicated. Profane, 
cranky, and totally in tune with the digital hip-hop of 
Internet rhythm, they were cryptographers with an 
attitude. If the government hadn’t enough to worry about 
with industry, privacy advocates, and reform-minded policy 
wonks urging liberalization of encryption, the emergence of 
crypto rebels as popular culture heroes was a tipping point, 
an unexpected sign that the code wars had gone someplace 
new. The code rebels had arrived, brandishing a powerful 
intellectual weapon: crypto anarchy. 


For this first meeting, Tim May had produced a fifty- 
seven-page handout, along with an elaborate agenda 
including discussion of “societal implications of 
cryptography,” “voting networks,” and “anonymous 
information markets.” There were reports on digital money 
in virtual realities and John Gilmore’s assessment of the 
NSA. And there was time set aside, of course, for the 
“reading of manifestos.” Tim May had one prepared 
especially for the meeting, which he called the Crypto 
Anarchist Manifesto. It ended on a stirring note: 


Just as the technology of printing altered and 
reduced the power of medieval guilds and the 
social power structure, so too will cryptologic 
methods fundamentally alter the nature of 
corporations and of government interference in 
economic transactions. Combined with 
emerging information markets, crypto anarchy 
will create a liquid market for any and all 
material which can be put into words and 
pictures. And just as a seemingly minor 
invention like barbed wire made possible the 
fencing-off of vast ranches and farms, thus 


altering the concepts of land and property 
rights in the frontier West, so too will the 
seemingly minor discovery out of an arcane 
branch of mathematics come to be the wire 
clippers which dismantle the barbed wire 
around intellectual property. 

Arise, world; you have nothing to lose but 
your barbed-wire fences! 


For a couple of hours, people were invited to play “the 
Crypto Anarchy game,” a role-playing exercise in which 
people imagined using exotic crypto protocols to keep 
surveillants in the dark about their activities, such as 
passing secrets or doing drug deals. Since PGP 2.0 had 
been released only days before—and most in attendance 
were huge fans of the first version—much of the meeting 
was spent discussing Phil Zimmermann’s latest effort, and 
copies were distributed to all in the room. (Zimmermann 
himself was still in Boulder.) The event turned into a key- 
Swapping party, as everyone exchanged PGP public keys 
and signed one another’s key ring. PGP after all, was the 
embodiment of the group’s belief that cryptography was too 
important to be left to governments or even well-meaning 
companies. Only dedicated individuals, willing to suffer the 
consequences of government sanction, could assure that 
the tools got circulated into the Internet’s bloodstream. 
After that, John Gilmore said, “It would take a pretty strong 
police state to suppress this technology.” 


One unexpected highlight was an observation made by 
Hughes’s companion, a leather-clad writer who penned 
articles for the digital hippie magazine Mondo 2000 under 
the name St. Jude. Listening to the visions of overturning 
society with modular arithmetic, she made the connection 
with the recent rise of so-called cyberpunks—hackers 


turned hipsters by linking the in-your-face iconoclasm of 
punk-rock rebels with the digital revolution. “Hey,” she 
called out, “you guys are cypherpunks!” They all loved the 
name. 


The newly dubbed group was eager to meet again ina 
month. In the meantime, Eric Hughes set up what would be 
a much more robust and fertile cypherpunk gathering 
place: the Internet. Using John Gilmore’s server (its 
Internet domain name was toad.com) as a cyberspace hub, 
Hughes set up what was known as a list-serv, an ongoing 
mega-discussion where anyone who signed up for the list 
would receive, unfiltered, the e-mail contributions of any 
other member who cared to report news, critique a 
cryptosystem, or unleash a rant. Within a few weeks, over 
100 people would sign on to the list, an impressive number 
considering the mind-numbing volume of messages passed 
—often well over 150 a day. 


After that first meeting, Eric Hughes drafted what he 
called “a small statement of purpose” to explain what the 
group was about. This “cypherpunk manifesto” envisioned a 
home-brewed privacy structure that the government 
couldn’t crack: 


Cypherpunks write code. They know that 
someone has to write to defend privacy, and 
since it’s their privacy, they’re going to write it. 
Cypherpunks publish their code so that their 
fellow cypherpunks may practice and play with 
it. Cypherpunks realize that security is not built 
in a day and are patient with incremental 
progress. 


Cypherpunks don’t care if you don’t like the 
software they write. Cypherpunks know that 
software can’t be destroyed. Cypherpunks know 
that a widely dispersed system can’t be shut 
down. 


Cypherpunks will make the networks safe for 
privacy. 


A couple of days afterward, Hughes revealed the details of 
the second meeting, to be held on October 10 at Cygnus’s 
new office in Mountain View. “Attendance is transitive trust, 
arbitrarily deep,” he wrote. “Invite who[m]ever you 

want. ... Do not, however, post the announcement. Time for 
that will come.” 


As indeed it would. By the following year, the list had 
expanded to more than 700 participants. The group’s 
original reluctance to ban journalists from its meetings—an 
ironic stance for people so enthusiastic about the spread of 
information in the Internet age—faded. Soon, cypherpunk 
lore would be a staple in publications ranging from Wired 
magazine to the New York Times. (Their faces, hidden by 
masks with scrawled PGP public key “fingerprints” on them, 
adorned Wired’s second issue.) The face of crypto had 
taken on a veneer of hipness. 


Crypto anarchy was a fascinating concept, infecting not 
only the media but the well-ordered domains of 
corporations and government as well. Even Donn Parker, a 


well-known security expert who had previously specialized 
in assessments of computer crackers, was now weighing in 
on the danger of the “coming state of information anarchy if 
crypto is allowed to proliferate unchecked in its present 
form.” (Parker recommended strong crypto, but with 
master keys in the hands of government—as it turned out, 
something that the government was already considering.) 


But even as the crypto rebels were becoming media 
darlings, government threats, and civil liberties heroes, few 
were aware that the mathematical and philosophical basis 
of their efforts had come from a single man, arguably the 
ultimate cypherpunk. He never attended a meeting, didn’t 
post to the list, and in fact had bitter running feuds with 
some of the people on it. Nonetheless, his ideas—and the 
patents he held on their implementations—were discussed 
with awe and fear both in the corporate and intelligence 
world. The creator himself was one of the most frustrating 
enigmas in the field, harder to crack than triple DES. 


This was David Chaum. 


Chaum, a bearded, ponytailed, Birkenstocked 
cryptographer and businessman, was the former Berkeley 
graduate student who had, on his own initiative, sustained 
the Santa Barbara Crypto conferences and organized the 
International Association for Cryptologic Research. But his 
legacy in the crypto world went far beyond that: for a 
number of years he was the privacy revolution’s Don 
Quixote, idealistically pursuing crypto liberation from Big 
Brother. While at Berkeley in the late 1970s, he began 
building on the foundation of public key to create protocols 
for a world where people could perform any number of 
electronic functions while preserving their anonymity. If the 
use of public key is akin to magic, and if elaborations like 
secret sharing and zero-knowledge proofs are viewed as 


powerful examples of that magic, then David Chaum was 
the Houdini of crypto, inventor of mathematical tools that 
could deliver the impossible: all the benefits of the 
electronic world without the drawbacks of an electronic 
path that could lead crooks, corporations, and cops to one’s 
doorstep. Magic, some believed, that potentially could make 
the entire concept of statehood disappear. 


From a very early age, David Chaum had an interest in 
the hardware of privacy. “I think what’s important to realize 
is that there is a strong driving force for me,” he says. “My 
interest in computer security initially, and encryption later 
on, came because of my fascination with security 
technologies in general—things like locks and burglar 
alarms and safes.” (At one point, as a graduate student, he 
even devised a new design for a lock and came close to 
selling it to a major manufacturer.) And, of course, he was 
completely fascinated by computers. Chaum was raised in 
suburban Los Angeles in a middle-class Jewish family (his 
birthdate is uncertain because of a characteristic refusal to 
divulge such specific identifying details). In high school and 
college—he began attending UCLA before graduating from 
high school, then enrolled at Sonoma State to be neara 
girlfriend, and finally finished up at UC San Diego—he did 
some garden variety computer pranking: password 
cracking, trash-can scrounging, and such. In math classes 
he hung out with a bunch of fellow malcontents: they would 
sit in the back of the class and every so often, when the 
teacher made an error, they would chime in witha 
counterproof. (Not exactly The Blackboard Jungle, but 
these were computer nerds.) He was also picking up a 
serious background in mathematics. And late in his college 
career, he came to cryptography, a discovery that in 
retrospect seems inevitable. 


He had already been thinking about the means of 
protecting computer information, but his first serious 
thoughts on the subject were revealed in an English class 
paper. The politically radical young woman teaching the 
course had urged the students to write about what 
interested them passionately. Chaum wrote about 
encryption. 


He chose Berkeley for graduate work, largely because of 
its association with the new paradigm of public key 
cryptography. He knew that Lance Hoffman, who taught 
there, had been Ralph Merkle’s teacher. He was unaware 
that Hoffman had rejected Merkle’s ideas out of hand. Still, 
he made good contacts at the school—he even met Whit 
Diffie, who was living in Berkeley then—and got the support 
he needed to begin his own work. Chaum’s first papers, 
published in 1979, are indicative of the focus his work 
would take: devising cryptographic means of assuring 
privacy. His ideas built upon the concept of public key, 
particularly the authentication properties of digital 
signatures. “I got interested in those particular techniques 
because I wanted to make [anonymous] voting protocols,” 
he says. “Then I realized that you could use them more 
generally as sort of untraceable communication protocols.” 
The trail led to anonymous, untraceable digital cash. 


For Chaum, politics and technology reinforced each other. 
He believed that as far as privacy was concerned, society 
stood at a crossroads. Proceeding in our current direction, 
we would arrive at a place where Orwell’s worst prophecies 
were fulfilled. He delineated the problem in a paper called 
“Numbers Can Be a Better Form of Cash Than Paper”: 


We are fast approaching a moment of crucial 
and perhaps irreversible decision, not merely 


between two kinds of technological systems, but 
between two kinds of society. Current 
developments in applying technology are 
rendering hollow both the remaining 
safeguards on privacy and the right to access 
and correct personal data. If these 
developments continue, their enormous 
surveillance potential will leave individual’s lives 
vulnerable to an unprecedented concentration 
of scrutiny and authority. 


In the early 1980s, David Chaum conducted a quest for 
the seemingly impossible answer to a problem that many 
people didn’t consider a problem in the first place: how can 
the domain of electronic life be extended without further 
compromising our privacy? Or—even more daring—can we 
do this by actually increasing privacy? In the process he 
figured out how cryptography could produce an electronic 
version of the dollar bill. 


In order to appreciate this, one must consider the 
obstacles to such a task. The most immediate concern of 
anyone attempting to produce a digital form of currency is 
counterfeiting. As anyone who has copied a program from a 
floppy disk to a hard drive knows, it is totally trivial to 
produce an exact copy of anything in the digital medium. 
What’s to stop Eve from taking her one Digi-Buck and 
making a million, or a billion copies? If she can do this, her 
laptop, and every other computer, becomes a mint, and an 
infinite hyperinflation makes this form of currency 
worthless. 


Chaum’s way of overcoming that problem was the use of 
digital signatures to verify the authenticity of bills. Only one 
serial number would be assigned to a given “bill’”—the 


number itself would be the bill—and when the unique 
number was presented to a merchant or a bank, it could be 
scanned to see if the virtual bill was authentic and had not 
been previously spent. This would be fairly easy to do if 
every electronic unit of currency was traced through the 
system at every point, but that process could also track the 
way people spent their money, down to the last penny. 
Exactly the kind of surveillance nightmare that gave Chaum 
the chills. How could you do this and unconditionally 
protect one’s anonymity? 


Chaum began his solution by coming up with something 
called a “blind signature.” This is a process by which a 
bank, or any other authorizing agency, can authenticate a 
number so that it can act as a unit of currency. Yet, using 
Chaum’s mathematics, the bank itself does not know who 
has the bill, and therefore cannot trace it. This way, when 
the bank issues you a stream of numbers designed to be 
accepted as cash, you have a way of changing the numbers 
(to make sure the money can’t be traced) while maintaining 
the bank’s imprimatur. 


One of Chaum’s most dramatic breakthroughs occurred 
when he managed to come up with a mathematical proof 
that this sort of anonymity could be provided 
unconditionally. The Eureka Moment came as he was 
driving his Volkswagen van from Berkeley to his home in 
Santa Barbara, where he taught computer science in the 
early eighties. “I was just turning this idea over and over in 
my head, and I went through all kinds of solutions. I kept 
riding through it, and finally by the time I got there I knew 
exactly how to do it in an elegant way.” 


He presented his theory with a vivid example: a scenario 
of three cryptographers finishing their meal at a restaurant 
and awaiting the check. The waiter appears. Your dinner, he 


tells the dining cryptographers, has been prepaid. The 
question is, by whom? Has one of the diners decided 
anonymously to treat his colleagues—or has the NSA or 
someone else paid for the meal? The dilemma was whether 
this information could be gleaned without compromising 
the anonymity of the cryptographer who might have paid 
for the dinner. 


The answer to the “Dining Cryptographers” problem was 
surprisingly simple, involving coin tosses hidden from 
certain parties. For instance, Alice and Bob would flip a 
quarter behind a menu so Ted couldn’t see it—and then 
each would privately write down the result and pass it to 
him. The key stipulation would be that if one of them was 
the benefactor who paid for the meal, that person would 
write down the opposite result of the coin toss. Thus if Ted 
received contradictory reports of the coin toss—one heads, 
one tails—he would know that one of his fellow diners paid 
for the meal. But without further collusion, he would have 
no way of knowing if it was Alice or Bob who paid. By a 
series of coin tosses and passed messages, any number of 
diners—in what would be called a DC-Net—could play this 
game. The idea could be scaled to a currency system. 


“It was really important, because it meant that 
untraceability could be unconditional,” he says—meaning 
mathematically bulletproof. “It doesn’t matter how much 
computer power the NSA has to break codes—they can’t 
figure it out, and you can prove that.” 


Chaum’s subsequent work—as well as the patents he 
successfully applied for—built upon those ideas, addressing 
problems like preventing double-spending while preserving 
anonymity. In a particularly clever mathematical twist, he 
came up with a scheme whereby one’s anonymity would 
always be preserved, with a single exception: if someone 


attempted to double-spend a unit that he or she had 
already spent somewhere else, at that point the second bit 
of information would allow a trace to be revealed. In other 
words, only cheaters would be identified—indeed, they 
would be providing evidence to law enforcement of their 
attempt to commit fraud. 


This was exciting work, but Chaum received very little 
encouragement for pursuing it. “For many years it was very 
difficult for me to have to work on this sort of subject within 
the field, because people were not at all receptive to it,” 
Chaum says. For a period of several years in the early 
1980s, Chaum attempted to make personal connections 
with the leading lights in privacy policy and share his ideas 
with them. 


“The uniform reaction was negative,” he says. “And I 
couldn’t understand this. It made it all the harder for me to 
keep pushing on this, because my academic advisors were 
saying, ‘Oh, that’s political, that’s social—you’re out of line.’ 
” Even his advisor at Berkeley tried to dissuade him. “Don’t 
work on this, because you can never tell the effects of a new 
idea on society,” he told his stubborn student. Instead of 
heeding the warning, Chaum dedicated his dissertation to 
him, saying it was the rejection of the advisor’s thinking 
that motivated him to finish the work. 


Eventually, Chaum decided that the best way to spread 
his ideas would be to start his own company. By then he was 
living in Amsterdam; on an earlier visit with his Dutch 
girlfriend, he had fortuitously met up with some academics 
who offered him a post, which in turn led to an appointment 
at CWI, the Centre for Mathematics and Computer Science 
in Amsterdam. So, in 1990, he founded Digicash, with his 
own meager capital and a contract in hand from the Dutch 
government for a feasibility study of technology that would 


allow electronic toll payments on highways. Chaum 
developed a prototype by which smart cards holding a 
certain amount of verified cash value could be affixed toa 
windshield and high-speed scanning devices would subtract 
the tolls as the cars whizzed by. One could also use the 
cards to pay for public transportation and eventually for 
other items. Of course, the payments would be anonymous. 
To Chaum this was the most important part of the system: 
his fear was that a scheme that allowed officials to retrace 
the routes of citizens would be an Orwellian atrocity. 
(Systems eventually implemented in the United States, like 
the popular E-ZPass system, actually do track travelers.) 


After completing that contract (the system was never 
implemented), Chaum kept his company active in smart- 
card applications; some of the projects focused on cash 
systems that would be used in a building or complex of 
buildings. He had a working example of it at Digicash 
headquarters on the outskirts of Amsterdam; visitors could 
sample the future by using anonymous cash cards to buy 
sodas and make phone calls. 


But in the early 1990s, even as the world came around to 
the significance of the ideas Chaum had hatched in isolation 
—firms ranging from Microsoft to Citibank were pursuing 
digital cash projects—the company’s operations remained 
relatively small scale. Digicash remained independent, 
without a close alliance with a large partner in banking or 
financial services. Chaum felt that in time these partners, at 
the least licensees who used Digicash technology, would 
emerge. They had to. It was now the conventional wisdom 
that paper money would be replaced by crypto-protected 
digits. When that happened, his paradigm would become a 
crucial factor in maintaining privacy in the age of e-money. 
This was an idea Chaum believed was worth holding out for. 


Some people interpreted this as stubbornness, or, at 
least, poor business practice. “People wanted to buy David’s 
patents but he asked for too much—he wanted control,” 
says a former Digicash employee. Another tale making the 
rounds was that Chaum made a last-minute veto of a deal 
with Visa that would have made Digicash the standard for 
electronic money. A Digicash executive would later tell a 
reporter of similar blowups with other firms, including 
Microsoft. But Chaum furiously resisted the theory that his 
personality quirks and actions scotched realistic deals. 
When a reporter interviewed him about the subject, Chaum 
lashed out at the “malicious slander that it’s hard to do 
deals with me.” Still, frustrated by not being able to get 
Chaum’s patents, some companies began devising their 
own schemes for anonymity, which may or may not have 
infringed on his patents. 


Some cypherpunks felt that Chaum had taken the 
improper ideological approach by applying for patents on 
his work. (These idealists didn’t like RSA’s patents, either.) 
They complained that by withholding the technology from 
anyone who wanted to implement it—and threatening to 
sue anyone who tested the breadth of these patents—he 
was actually preventing his dream from being realized. This 
criticism enraged Chaum. “I really believe it’s sort of my 
mission to do this, because I have this vision that stuff like 
this might be possible, and I really felt it was my 
responsibility to do it,” he would say. “No one was working 
on this for a good half-dozen years while I was busily 
working on it and they all thought I was nuts. The patents 
are really helpful to our little company; we couldn’t license, 
really, without the patents, and the whole purpose of them 
from my point of view is to get this stuff out there.” 


It was an article of faith among cypherpunks that 
protocols for anonymity would indeed flourish. This was not 


a foregone conclusion. Many tried to make their own 
schemes, with names like Magic Money. Meanwhile, 
Citibank and Visa were exploring digital cash on their own. 
And a well-funded new company called Cybercash was 
being formed outside of D.C.; one of its investors was RSA 
Data Security. The cypherpunks wanted to know whether 
this new form of money would provide an electronic trail to 
the user. They hoped not. The c-punk list was full of 
scenarios in which the Internet provided “data havens” 
outside the United States, places beyond the purview of the 
industrialized nations where people could bank funds or 
even gamble with digital cash. When some cypherpunks 
helped organize the first conference on financial 
cryptography, its location was a foregone conclusion: 
Anguilla, a small Caribbean island whose transactions laws 
were, to say the least, liberal. 


One of Chaum’s ideas, adopted wholeheartedly by 
cypherpunks, was the emergence of services called 
“remailers.” These were sort of cyberspace information 
launderers ... outposts on the information highway, 
independently maintained by cypherpunk activists, who 
stripped any identifying marks from a message, then passed 
it on either to its final destination or to another remailer, for 
another round of data scrubbing. Your message goes into 
the remailer (also known as an anonymous server) with a 
return address—and gets forwarded without one. 


Just sending your anonymous message to a single 
remailer, though, was regarded as insufficient protection. 
Indeed, it imbued the person running the server with too 
much power. If he or she turned out to be untrustworthy, or 
got hacked, or was served with a subpoena, it would be all 
too easy for outsiders to get hold of one’s return address. It 
was the same problem that Whit Diffie originally 
complained about with network administrators and 


passwords. The cypherpunks thought they had the solution 
to this problem: they helped seed a loose confederation of 
remailers around the globe. In order to get real protection, 
you had to direct your messages through a series, or 
“string,” or “chain,” of remailers. Each remailing service 
would strip the return address; only the first one would 
have the original address. A cop or a spy trying to trace a 
message would then have to get the records (if they still 
existed, which they generally didn’t) of ten or twelve or 
twenty remailers in order to retrace the steps. So if the 
authorities couldn’t get the records from some remailer 
nerd in Tonga, they’d never find the original. (Some 
paranoid users—or, more likely, cypherpunks airing out 
their software—went through as many as a hundred 
remailers on their string; since there weren’t that many 
anonymity servers in the world, this required multiple 
visits.) 


To be really sure your anonymity was protected, you’d use 
PGP to encrypt the whole shebang with the public key of 
the final remailer on the chain. That way no remailer until 
the final one would be able to read the message, which by 
then would have its origins well buried. Want more 
security? Encrypt that final message in another envelope of 
PGP encryption, this one scrambled with the public key of 
the penultimate remailer on the chain. That would provide 
a double layer of encryption. And so on and so on, 
envelopes within envelopes, until privacy was fully assured. 
If at any point along the way, someone attempted to read 
the message, they’d get gibberish, “like getting a tape of 
microphone hiss,” gloated Eric Hughes. 


With cypherpunk encouragement—the first remailer was 
set up by Hughes himself, on the Berkeley server—about 
twenty remailers were up and humming by 1993. Of all the 
barn-building efforts of those on the list, creating an easier 


way to utilize remailer chains was the most intense. It didn’t 
seem to bother the cypherpunks that those using the 
nascent system weren’t doing much to improve society. 
Most of the messages sent through remailers were postings 
to Usenet discussion groups on the Internet; sadly, these 
were generally harassing attacks on people or simply idiotic 
flames. Instead of enriching cyberspace conversations, 
these unsigned stink bombs degraded it. You’d have 
sophisticated on-line colloquies about technical issues or 
personal matters, and some moron would chime in with 
foul-mouthed insults—and the serious participants in the 
discussion would be frustrated because there’d be no way 
of applying sanctions to the conversational vandal who 
disrupted things. On the other hand, in some groups— 
notably those encouraging contributions from whistle- 
blowers or victims of sex crimes—otherwise reluctant 
message posters discovered a measure of security in having 
their messages attributed to alternate, untraceable 
identities known as “nyms.” It wasn’t unusual in such 
groups to see a lot of mail from clearly cloaked 
correspondents at sites like “bogus@no.return.address.” 


The hardest part of running a remailer, it turned out, was 
not technical. Cypherpunk scripts made the process fairly 
easy for the technically competent noncryptographer to set 
up an anon server. The tough part was standing up to the 
social and legal pressures that would come when outraged 
targets of hate mail and pranks would demand that the 
anonymous traffic cease. A typical case was a cypherpunk 
at the University of Washington who wanted to use the 
school’s computer system as a remailer. For a few months 
things went fine, “which wasn’t bad when you consider that 
it was based on a student account with a Nazi-like 
administration,” wrote the operator. “The death blow was a 
target [of e-mail attacks] complaining to me about someone 
sending unsolicited mail to them through my remailer.” The 


plea to stop such mail went to the system “postmaster,” the 
person in charge of the university’s e-mail system. Of 
course, the postmaster didn’t know anything about sucha 
service being operated on the school’s computer, and 
“when he looked into it, he was quite surprised.” End of 
remailer. 


More successful was the case of Julf Helsingius, a Finnish 
computer consultant who began a remailer in his home 
outside Helsinki in 1993. He wanted to provide cover to 
people posting in a Usenet group concerning alcoholic 
recovery. He set up “Penet” (a variation on his company’s 
name, Pennitech) on a small UNIX machine running ona 
modest Intel 386 chip, and opened for business, relying 
solely on word of mouth for users. Soon thousands of people 
were sending messages through the machine, which would 
forward the messages to their destinations without the 
identifying header. The traffic got so intense that Julf had to 
install a high-speed Internet pipe in his home, which cost 
him a thousand dollars a month. Sometimes, users would 
write to Julf and ask him why he did it. The answer was 
complicated; Julf was part of the Swedish-speaking minority 
in Finland and had always felt strongly about the ability of 
minorities to speak up. In another sense though, he 
considered it a hobby. “Some people spend similar money 
on golf or whatever,” he would say. When people 
complained that he was allowing creeps and perverts to 
express themselves, he had a reply for that too: 


I can only answer that I believe very firmly that 
it’s not for me to dictate how other people 
ought to behave. But remember, anonymous 
postings are a privilege, and use them 
accordingly. I believe adult human beings can 
behave responsibly. Please don’t let me down. 


No matter what the result, the cypherpunk remailer 
effort generated a vital dialogue on the issue of anonymity 
in a digital society. One important cypherpunk text was 
Ender’s Game, a science fiction novel by Orson Scott Card. 
Part of the plot hinged on an influential public debate 
between two unknown philosophers who took advantage of 
remailer-type technology to post treatises under the 
fictional nyms of Demosthenes and Locke. Since the ideas 
were subversive, it was absolutely necessary to keep their 
real identities secret; nonetheless, the force of their 
arguments changed the course of society in the novel. 
Another good reason to hide the real people behind these 
ideas was that the writers were children, a brother and 
sister who were, respectively, twelve and ten years old. “It’s 
not my fault I’m twelve right now,” the young man explained 
to his sister. “The world is always a democracy in times of 
flux, and the man with the best voice will win.” 


But it was not only science fiction that valued anonymity. 
The practice was crucial in the formation of the United 
States itself, and was arguably as American as apple pie. As 
cypherpunk historians loved to point out, the model for the 
Ender’s Game debate may have been the Federalist Papers, 
with parts written by James Madison, John Jay, and 
Alexander Hamilton but published under the pseudonym 
Publius. And when Thomas Paine wrote Common Sense, he 
originally signed it “An Englishman.” As the Supreme Court 
would note, “Anonymous pamphlets, leaflets, brochures, 
and even books have played an important role in the 
progress of mankind,” a role the court has sustained in 
consistent rulings. In 1995, it would reaffirm the 
constitutionality of the concept once more, using the words 
of John Stuart Mill to hail anonymity as “a shield from the 
tyranny of the majority.” Who could blame cypherpunks for 
producing the cryptographic tools to preserve a writer’s 
ability to continue this vital tradition? 


Plenty of people, as it turned out. Critics—among them 
FBI director Louis Freeh—would contend that when 
anonymity hit the Internet, it did not merely find a familiar 
niche in a new medium; it was amplified beyond recognition 
into something more menacing. David Chaum’s invention of 
blind digital signatures and nontraceable anonymous cash 
had the potential to make cyberspace into an identity-free 
zone where one could go underground far more easily and 
effectively than in the physical world. When you spend hard 
currency in a store, for instance, no one asks you for ID 
papers—but your face marks the transaction in the 
cashier’s mind, particularly if you’re a return customer. (If 
you wore a bag over your head, you’d probably have 
trouble making the payment in the first place.) Using 
Chaumian protocols, you could potentially make all your 
purchases, send all your mail, even receive monies, with 
total assurance that no one would know who you are. But so 
could kidnappers, child pornographers, and terrorists, 
whose lives would be made much simpler and more secure 
with such tools. 


Such concerns didn’t faze the cypherpunks. On the 
contrary, they went out of their way to emphasize why the 
technologies of anonymity could be so controversial. A good 
example was Tim May’s announcement of an enterprise he 
called “BlackNet.” The group did not exist, of course. It was 
a thought experiment he originally figured to bring up for 
discussion at a cypherpunk meeting, but then decided to 
send it out anonymously on the Net. “I sent it through 
remailers so it would add a piquancy, a spiciness to it,” says 
May, who certainly didn’t mind going public with his own 
beliefs (he usually signed his e-mail with a hair-raising list 
of passions— “crypto anarchy, digital money, anonymous 
networks, digital pseudonyms, black markets, and collapse 
of governments”). 


BlackNet was a guerrilla theater presentation of those 
interests. “Your name has come to our attention,” the 
message began. “We have reason to believe you may be 
interested in the products and services our new 
organization, BlackNet, has to offer. BlackNet is in the 
business of buying, selling, trading, and otherwise dealing 
with information in all its many forms.” The offer went on to 
explain that with public key cryptography, a perfect data 
black market exists where one can get or sell everything 
from trade secrets to cruise missile plans without any risk 
of being identified. The parties in these transactions will not 
be known to each other, not even to BlackNet. Needless to 
Say, no one would ever know who is behind BlackNet: 


Our location in physical space is unimportant. 
Our location in cyberspace is all that matters. 
Our primary address is the PGP key location 
“BlackNet” and we can be contacted 
(preferably through a chain of anonymous 
remailers) by encrypting a message to our 
public key (contained below) and depositing this 
message in one of the several locations in 
cyberspace we monitor. 


BlackNet also purported to deal in money, offering to make 
anonymous deposits in the bank of your choice. You could 
deal with BlackNet using actual cash or “cryptocredits,” 
BlackNet’s own internal currency (which could be used in 
any sort of untraceable clandestine information transaction 
you chose). And BlackNet itself had no ideology of its own, 
save one: “We consider nation-states, export laws, patent 
laws, national security considerations, and the like to be 
relics of the pre-cyberspace era.” 


To May’s delight, many accepted the BlackNet 
announcement at face value, especially as news of it leaked 
beyond the crypto community and into the more panic- 
prone world at large. Though BlackNet was fictional, May 
did believe that in the future we would see similar 
enterprises. It didn’t bother him at all—people were free 
agents, and responsible for themselves. “If people die as a 
result of this... eh!” he said. “J didn’t hurt them.” 


All in all, the exercise put a screaming exclamation point 
to cypherpunk philosophy. Crypto anarchy until then may 
have been the province of science fiction writers, but the 
tools to make it real were arriving. As those digital 
armaments were put to use, it was possible that a thousand 
BlackNets could bloom. Certainly this was something noted 
inside the Triple Fence—and at FBI headquarters as well. 
Did it portend a movement that had to be stopped? The 
establishment was beginning to think so. 


With the powers of crypto, “we have the capability of 100 
percent privacy,” admitted security expert Donn Parker. 
“But if we use this, I don’t think society can survive.” 


the clipper chip 


The creator of the Clipper Chip was an unintentional spook. 
Clinton Brooks’s passion was astronomy. He studied it at 
Yale during the late sixties, and wanted to make it his 
career, after fulfilling his ROTC obligations in the navy. His 
duty was slated for the Pacific, and he planned to move his 
wife and small children to Hawaii and sail as a shipboard 
communications officer. He didn’t realize that people ata 
certain intelligence agency had other plans for him. 


Several years earlier, Brooks had been assigned for his 
mandatory summer duty to a location unknown to him: Fort 
George Meade. He had driven to Maryland, expecting a 
typical military base. Instead he was intercepted by 
inscrutable guards outside what looked like a modern office 
building in the middle of nowhere who told him that only 
those with high security clearances could enter. To his 


surprise, a phone call revealed that he already had been 
granted such a clearance. Welcome, Clint Brooks, to the 
National Security Agency. He might have thought of this 
duty as an interlude, but his superiors had apparently taken 
note of his abilities, and offered him an alternative to the 
navy. Not only could he remain in the States, but he’d have 
a chance at a deeper satisfaction—an opportunity to 
indulge his cosmic yearnings, to a degree, by working in 
top-secret satellite reconnaissance. He would not, of course, 
be able to talk about his work to his friends, neighbors, and 
relatives, because even the title of the satellite organization 
was more Closely protected than the No Such Agency itself. 
But it sounded good to Brooks. So he declined his 
commission on the USS Pueblo—the intelligence ship that 
would be captured by the North Koreans a few months 
later, on January 23, 1968. He would work at the agency 
that dared not speak its name. 


Twenty-four years later, Clint Brooks was an assistant 
deputy director at the agency that now did speak its name 
in public. And he found himself at the center of a crisis that 
involved the very mission of the National Security Agency: 
the rise of public cryptography. One day in the late spring of 
1992, he walked over to the office of a recently arrived 
general counsel of the agency to enlist the newcomer’s aid 
in a campaign that, Brooks hoped, might help the agency 
get through this dangerous passage. 


Traditionally, the NSA general counsel is recruited from 
outside, a lawyer familiar with government work with no 
particular experience in intelligence matters. Someone who 
can fit into the cloistered culture inside the Triple Fence, 
but who retains a sense of the real world beyond. It had 
been Bobby Ray Inman who first figured out that a sharp 
legal mind just plucked from the fray could best forward the 
agency’s business, and provide a level of oversight that 


perhaps a career spook might not. Ever since Inman’s 
lawyers helped him navigate the agency’s problems with 
academic crypto research, a series of sharp, relatively 
young attorneys had filled the post for a couple of years, 
then each had moved on. 


Stewart Baker fit the mold. Born in 1947 and raised 
outside Detroit, he went to law school at UCLA, clerked for 
a federal judge, then went into private practice for Steptoe 
and Johnson, one of the most prestigious firms in the 
nation’s capital. He served for a few years in Jimmy Carter’s 
Education Department, then returned to Steptoe. When 
recommended for the NSA job, he’d been unsure about it. 
“Should I do it?” he asked a military friend. “What better 
could you do for your country?” his friend replied. 


Baker had occupied his new office for less than a month 
before Clint Brooks’s visit. It was clear that the spindly, 
square-jawed NSA lifer was a true believer—but in what? 
Before he spoke, Brooks placed a large bottle of Advil on 
Stewart Baker’s desk. “You’re going to need this,” he said. 


Then Brooks laid out the entire story of how cryptography 
was going public. He told Baker about DES, the strong 
cipher that wound up in more common use than the NSA 
had expected, then about the development of public key, 
and RSA, and the agency’s troubles with the new 
cryptographic community that led to the compromise of 
prepublication review. And now, he said, the idea that you 
could control things by vetting academic papers was 
irrelevant: companies like RSA were selling crypto 
commercially. Baker was aghast. How did you let that stuff 
out? he wanted to know. 


It wasn’t that simple, Brooks explained. The NSA has two 
roles. One, of course, is cracking ciphers and providing 


great intelligence to the rest of the government. But the 
other is to provide the United States with the best possible 
codes. Inside the Triple Fence, this duality was referred to 
as “Equities,” reflecting, no doubt, that both tasks were 
equally important. Clint Brooks was the Equities guy at the 
NSA. It was a thankless balancing act, because an advance 
in one mission was sometimes a threat to the other one. In 
the old days, at least, the debate was confined inside The 
Fort, but now it took place in the halls of Congress and in 
the pages of the New York Times. Meanwhile, the specter of 
widespread encryption was like a train bearing down not 
just on the NSA but on society in general. Like the 
cypherpunks, Clint Brooks looked into the future and saw 
crypto everywhere. But while the crypto rebels embraced 
the vision, Brooks understood that this new reality was a 
potential disaster, if the agency did not adjust. 


This was gospel that Brooks had been preaching for 
several years, at first to deaf ears. During most of the 
1980s, after director Inman’s first skirmishes with the 
crypto academics, most people at the agency hadn’t been 
much concerned with the possibility that public 
cryptography would affect them in any significant way. 
Strong export laws kept everything under control, assuring 
that nothing as strong as DES left the country without 
restrictions. In the chill of the Cold War, Congress always 
gave Fort Meade what it asked for. And though an 
occasional in-house Cassandra would cite some pundit’s 
prediction that in two or three years widespread 
commercial crypto would take off, it never did seem to 
happen. So it was easy to think that it might never happen. 
Brooks knew otherwise. Beginning around 1988, he came 
to understand the direction the Internet was taking and 
realized that, this time, the threat was real. But his 
superiors laughed when he tried to lecture them. What are 
you talking about? they’d say. We’re the only 


cryptographers! This is a military technology, not 
something that people want to use! Only when an Internet 
revolution became plausible, and companies like Lotus 
actually started to build crypto like RSA into their products, 
did the top levels of the agency come to realize that Brooks 
had a point. So they authorized him to find some sort of 
solution to this conundrum. And Brooks had indeed come 
up with one. 


That was the reason for Clint Brooks’s visit to Stewart 
Baker: to get him on board with the plan. There was, he 
explained, a possible way out ...a solution that not only 
could give the unprecedented protection of strong crypto to 
the masses, but that would also preserve the government’s 
ability to get hold of the original plaintext conversations and 
messages. In fact, for the past three years, Brooks revealed, 
the NSA had been creating such a scheme. It involved a 
technique known as key escrow. 


The project had begun in 1989. Brooks, in his role as Fort 
Meade’s Equities man, had been racking his brain to figure 
out how to reconcile the two seemingly incompatible 
demands: the need for strong public codes and the agency’s 
need for plaintext traffic. Clearly, no solution was perfect. 
The idea was to strike the proper balance, giving users of 
nonclassified information both inside and outside the 
government a healthy measure of security, but not so much 
that the public’s safety was abridged. At the time the NSA, 
acting in accordance with the Memorandum of 
Understanding, had formed the working group on 
cryptography with the National Institute of Standards and 
Technology. In NIST’s acting director Ray Kammer, Brooks 
found a kindred soul. The two of them spent hours going 
over the problem, probing the technical and even 
philosophical aspects of a crypto policy. 


In one of their early discussions, Brooks and Kammer had 
simultaneously had an epiphany: the use of encryption 
would have a profound effect on law enforcement, 
particularly in its ability to continue wiretapping. They 
began visiting people in the Justice Department and the 
FBI, none of whom had the slightest inkling of the troubles 
that lay ahead. Brooks or Kammer would tell them that all 
the authorizations to wiretap in the world might not help 
them when crooks used encryption, and their jaws would 
drop. Can’t you help us? the law enforcement people would 
ask. 


Brooks had once assumed the solution might lie in a giant 
deception. The agency could create a putatively strong 
cryptosystem, so apparently strong that companies would 
build it into their products and export it around the world. 
But the agency would have built in a “trapdoor,” to allow 
the NSA secretly to derive plaintext from encoded 
transmissions. But after some clear thinking, he discarded 
that risky, and questionably legal, idea. Such a scheme 
would entail getting decrypted messages from U.S. citizens. 
You might be able to justify a hidden trapdoor to snoop on 
foreigners, but if Congress or some investigative reporter 
discovered that the NSA had launched a clandestine 
surveillance plan against Americans, the Church committee 
would look like a picnic. 


So Brooks spent nights awake trying to conjure some 
other idea. On one of those nights, he had a flash. There 
could be a compromise that could satisfy everybody. In the 
physical world, a search warrant compelled a suspect in a 
crime to give authorities the combination of a safe. Why not 
translate that concept to the world of communications and 
computers? If you created a system by which special 
duplicate encryption keys were somehow spirited away and 
stored in secure facilities, you would essentially be holding 


lock combinations in escrow, unavailable to anyone but 
those who had authority to retrieve them. Those with that 
legal authority—a search warrant from a judge or an 
understood set of national security criteria—could get the 
keys from the trusted storage facility. Once that access was 
assured, there would be no problem in allowing the 
encryption itself to be as strong as anyone liked. Make it 
uncrackable! If the FBI or the police needed the key, and a 
judge concurred, then they’d have the wherewithal to 
decipher it, just as if they were the intended recipients. 


To some people at the agency, the scheme was a heresy: 
You're going to put a back door into a cryptosystem... and 
TELL people about it? But full disclosure was a critical part 
of Brooks’s vision. He really wanted this new scheme to kick 
off a national debate about cryptography. Only then, he 
believed, could an escrow scheme, which would require an 
elaborate infrastructure, be established. With the 
government no longer concerned about getting hold of 
encoded messages, the path would be free and clear 
toward a universal blanket of crypto, with organized public 
key distribution, standardized digital signatures, and 
automatic encryption of messages. The privacy nuts and 
conspiracy freaks would raise hell at the idea of escrowed 
keys. But if all the issues were aired, all the dangers 
addressed, all the benefits sketched out, surely reasonable 
people could see that this plan was the best way to protect 
our communications without sacrificing our safety. Anyway, 
what was the alternative? 


Of course, if such a scheme were to be launched, the NSA 
itself would have to change, readjusting its focus so it would 
operate in a highly computerized—and crypto-ized—post- 
Cold War world. The intensity with which The Fort still 
maintained its veil of secrecy was no longer appropriate. If 
the people were to buy such a radical idea, the NSA would 


have to earn their trust. Thus it was imperative to bring the 
debate on cryptography to the public, treading on once 
forbidden areas with brutal honesty. 


Brooks eventually got approval to pursue his plan, but his 
idea that the NSA should collaborate with the general 
public was received with skepticism or worse. He found 
himself arguing like some deranged Jeremiah. “This has got 
to be a national policy,” Brooks said at one meeting of the 
top NSA officials. When asked by a deputy director to 
explain further, he replied, “This isn’t a judgment that can 
be made by the director of the National Security Agency or 
a committee of deputies . . . it’s a value judgment as to 
what’s in the best interest of the country. It has to be 
decided by the president of the United States.” The official 
who answered directly to the voters! His peers thought he’d 
gone off the deep end. This was the National Security 
Agency, their attitude was, and we don’t do that sort of 
thing. 


While waiting for the public debate to take shape, Brooks 
was working hard with other agencies to set up a structure 
for his ambitious key escrow plan. Because of the 
Memorandum of Understanding, of course, the agency 
would have to develop the scheme with NIST. But that was 
no problem. The joint technical working group had been 
working on the public crypto situation since the very first 
meeting in March 1989, particularly on the digital 
signature algorithm. Public crypto was known within the 
group as Issue One. 


A third stakeholder in the discussions was the FBI. The 
early alert from Brooks and Kammer had indeed awakened 
interest at the bureau: in 1991, director William Sessions 
had written to defense secretary Dick Cheney about 
computer security, clearly indicating that his agency wanted 


a voice in determining policy. The FBI, it turned out, would 
actually assume the hardest line on the issue. 


The NSA, of course, did the technical heavy lifting. By 
1990, thirty of its mathematicians were working on the 
problem. They quickly settled on the bedrock of the system, 
a powerful encryption algorithm that had been kicking 
around Fort Meade for a couple of years. Its codename was 
Skipjack. It was a block cipher like DES but was deemed 
much stronger. Its recommended key length was 80 bits as 
opposed to DES’s 56; it used 32 rounds of substitution 
instead of 16. (There appears also to have been some more 
subtle technical reasons for Skipjack’s superiority, but of 
course, the NSA was loath to reveal these.) Though Brooks 
tried to argue that in this new era, it might be appropriate 
to reveal the algorithm—insisting, in fact, that to win over 
their critics they would probably be forced to publish it 
anyway—he met with staunch resistance. Never—never— 
would the agency allow its foes access to what amounted to 
an advanced course on the cutting edge of codemaking. 
Things don’t work that way at The Fort. 


Skipjack, though, was only a single component of what 
the NSA called Capstone, which was a complete public key 
system that would include the digital signature standard. Of 
course, this particular scheme had an additional 
complication: how would you implement the escrow? You’d 
have to figure out a way to isolate a copy of each key and 
send that information elsewhere for storage. By 1991, the 
NSA decided that trying to do this in software was too risky 
—it feared that some foe could change the code to build ina 
weakness—and concluded that a better method would be to 
put the whole shebang on a tamperproof computer chip. An 
experienced defense contractor in Torrance, California, 
called Mykotronx was hired to fabricate the chips. 


The system itself worked by inserting several new 
components into the classic equation where Alice encrypts 
and Bob decrypts. One of them was the “unique chip 
identifier.” It was a number that matched up with a “chip 
unique key” that was assigned to a single physical chip. 
Each device—a computer or perhaps a phone—would have 
its own unique chip identifier and chip unique key. 


When two people wanted to communicate privately, they 
would each have one of those devices. If, for instance, they 
wanted a phone conversation that an eavesdropper couldn’t 
hear, they’d have special phones with the technology built 
in. Once the connection was made, the phones would zip 
signals to each other (via a Diffie-Hellman exchange) to 
calculate a new symmetrical key, called the session key. 
Using Skipjack, that key would actually encode the sounds 
of each speaker as the sounds left the phone and decrypt 
those sounds as they emerged from the other phone. But 
along with the encrypted conversation, the phones would 
transmit another set of bits, called the Law Enforcement 
Access Field (LEAF). (It was originally called the Law 
Enforcement Exploitation Field, but was changed to a 
somewhat less ominous term.) The LEAF would be 
generated by a set of calculations involving the session key, 
the chip unique key, and the unique chip identifier, winding 
up with two important components: an encrypted version of 
the session key and the unique chip identifier. All of that 
would be further scrambled by the family key. 


So how would officials get hold of those keys? They would 
already be in possession of one of them, the family key— 
there’s only one in the whole system. The tricky part of the 
scheme would be getting the proper chip unique key and, 
ultimately, the session key. This would be performed by way 
of the LEAF. 


What if an eavesdropper captures the information on the 
LEAF? Even if he could isolate the chip identifier from the 
LEAF, it would be useless. All the identifier would do, really, 
is identify. It would point to a chip unique key in a vast 
database. But only the government wiretappers would have 
access to that database, stocked with every chip unique key 
in existence. Having that identifier without a way to get into 
the escrow facility would be like having someone’s 
fingerprint and no access to crime records: it would be of 
no help whatsoever in telling you who it identifies. But a 
government agent would be able to take that identifier, 
along with a court order, to an escrow facility, and match it 
up with the chip unique key. And then combine it with the 
family key. Viola! You’d have the session key—and the fuzz 
of an encrypted conversation could be transformed into 
blessed, perhaps incriminating, plain language. 


That led to another complication. Where would the 
escrowed keys be stored? If they were all kept in one place, 
it would be a potential gold mine for all sorts of crooks, 
spies, and even corrupt U.S. government agents—anyone 
with access could get hold of the means to violate the 
privacy of every encrypted conversation in the world. So 
Brooks and his colleagues decided that the escrowed keys 
would be split into two pieces that would be stored in 
different locations. This would be done in such a way that 
obtaining one piece of the key would provide no 
mathematical advantage in discovering the entire key. 
When a judge authorized a wiretap, the law enforcement 
officer would present the warrant to both escrow agents, 
construct the key, and then have the wherewithal to listen 
to the conversations. 


In late July 1992, all the relevant government agencies 
met for an off-site meeting at the FBI’s Engineering 
Research Facility in Quantico, Virginia, to discuss the 


alternatives for a national encryption policy. Clint Brooks 
made the opening presentation. As recorded by one official 
in attendance: 


He presented these within the context ofa 
national goal that would satisfy the need for 
good commercial and unclassified 
cryptographic security while protecting the 
interests and responsibilities of national 
security and law enforcement organizations. He 
termed the achievement of this goal “Nirvana.” 


The agencies didn’t reach total agreement. Notably, the 
FBI apparently was arguing for the ability to do its 
decrypting instantaneously, or in “real time,” an approach 
that the NIST people deemed “draconian and intrusive.” 
(The FBI approach would essentially dictate that the escrow 
facilities should be a phone call away at any time, and 
safeguards against abuse would go out the window.) But 
they all agreed that a system should provide encryption for 
the public while allowing the cops and the spooks access to 
the keys—essentially, the NSA solution. 


Until the whole government got behind it, the escrow 
scheme was just another flashy technology concocted 
behind the Triple Fence. In order for it to work, it needed to 
be ubiquitous. As Brooks had anticipated—and as his 
superiors finally came to understand—such a sweeping 
change needed the imprimatur and active support of 
government’s highest level, up to George Bush himself. But 
an election was approaching, not the time to air potentially 
controversial new ideas. In any case, the Bush people 
seemed unconvinced of the urgency of quick action. Brooks 
figured that in 1993, after Bush was returned to the White 


House, the reelected president would be able to tackle the 
problem, free from worries about what the electorate might 
think. 


But in 1992, two unexpected events dramatically shaped 
the course of Clint Brooks’s key escrow scheme. The first 
one involved an innovative product about to be introduced 
into the marketplace—a twenty-four ounce box that 
connected to the telephone. That pound and a half of 
technology portended tons of problems. The second 
development was the election of a new U.S. president. 


The box’s technical name was the AT&T Telephone 
Security Device (TSD) 3600. For several years, the 
telecommunications giant had been manufacturing secure 
phones for the government, using a special NSA-designed 
algorithm. In 1992, the company decided to broaden its 
market outside the government, and began limited sales of 
a voice data scrambler that used an encryption algorithm 
devised by AT&T’s own crypto team. That autumn, it 
decided to follow up on an even wider scale—by launching a 
secure phone designed to sell by the thousands. If you were 
worried about snoopers listening for sensitive data 
involving intellectual property, trade issues, and business 
strategies, you’d want one of these. You didn’t have to be an 
engineer or a nerd to use it, either. “It connects easily to 
desk telephones or... mobile cellular phones,” gushed 
company literature. “And it’s as easy to use as it is portable. 
To protect conversations, the user simply pushes a single 
button. The call is automatically encrypted and the 
conversation secured.” AT&T also claimed that the voice 
quality on this device was, unlike the relatively fuzzy phones 
that the military used, almost as good as that of a regular 
telephone. 


What’s more, this new phone would use the most trusted 
encryption algorithm of all to scramble voice: DES, the 
cipher that was still a hot button behind the Triple Fence. 


The NSA, of course, was unhappy at this new use of the 
problem child it had once blessed. But news of AT&T’s plan 
was even more troubling to the FBI. The law enforcement 
agency had already been complaining that new telephone 
features like cellular service and call forwarding were 
making it more difficult to implement wiretaps. Its solution 
was to propose a new bill, known within the Beltway simply 
as “Digital Telephony.” The law would mandate that all new 
telecommunications equipment be designed with wiretaps 
in mind; it essentially banned new devices and services that 
denied the government an easy way to conduct 
surveillance. Critics were already howling. It was bad 
enough that the bill would cost equipment makers 
hundreds of millions of dollars (presumably a cost passed 
on to consumers). Much worse was the central premise 
behind the legislation, which required the tail of wiretaps to 
wag the dog of telecommunications. Instead of encouraging 
one of the country’s most innovative industries to produce 
the systems that would sustain America’s high-tech success 
in the global marketplace, Congress would be locking a ball 
and chain on innovations. And for what? Just to keep its 
ears open to approximately 1000 annual federal wiretaps, 
to glean information that could arguably be recovered by 
other means, like hidden bugs or informants? 


Though Digital Telephony didn’t mention cryptography 
specifically, the specter of crypto restrictions hung over the 
legislation like some digital Sword of Damocles. As Brooks 
and Kammer had explained to the FBI, strong crypto could 
totally screw up the benefits of the bill. Even if Digital 
Telephony passed, and the industry faithfully followed its 
strictures, the G-men and other police agencies would be 


able to monitor the transmissions sent over the wires or the 
air—but then what? If those communications were 
scrambled, those precious intercepts would be no more 
than useless static. FBI director William Sessions got the 
message and made sure that G-men would be participants 
in the NSA-NIST effort to deal with the problem. 


Now the FBI was freaking. Here was this new AT&T 
phone, designed to move secure-phone technology from a 
status item on the desks of national security advisors to a 
common commercial product, one used by executives, 
lawyers, and scientists, not to mention privacy nuts, crooks, 
terrorists, and God knows who else. It would be a law 
enforcement disaster ... unless there was a way that the 
government could somehow overhear those conversations 
as they were before encryption. Wasn’t that what Clint 
Brooks had figured out? So Brooks and his team were 
asked if the Capstone chip might go into the AT&T phone. 
As the Capstone was originally conceived, it was too 
demanding for the TSD 3600—with all its features, such as 
the digital signatures, it would require more computation 
than the device could handle. But maybe if the NSA carved 
out just the encryption algorithm and key escrow, it could 
come up with something that could simply be clipped into 
the phone in place of the DES chip. 


Even while agreeing that it could be done, Brooks was 
wary. The Capstone chip was well designed and 
represented a complete solution. Coming up with 
something new would be riskier—and to do it in time to 
stave off the AT&T phone, it would have to be done very 
quickly. There would be no time for the national debate he 
felt was so essential. 


But the FBI couldn’t wait. On October 13, 1992, Judge 
Sessions himself placed a call to AT&T’s chief executive 


officer Robert Allen. We’ve got a problem, he told him, and 
then outlined problem and solution: Would AT&T consider 
using an escrow encryption chip instead of its DES-based 
system? If the company agreed, the feds could offer 
considerable carrots. For one thing, AT&T could claim that 
it was actually providing mightier encryption, since 
Skipjack was much more difficult for outsiders to crack than 
DES. Furthermore, the United States would probably allow 
this key escrow phone to be exported. Best of all was a 
promise directed toward the bottom line: the federal 
government would buy thousands of units for its own use. 


The downside, of course, would be that potential 
corporate buyers would have to buy into the basic 
compromise that escrow entailed: the encryption would be 
strong, but one not necessarily welcome third party would 
also have a copy of the key. 


Sound familiar? It was the same situation that Whit Diffie 
had found utterly intolerable two decades earlier: the 
difficulty of two people seeking intimacy when someone else 
is in the bed. Diffie had invented public key in order to 
avoid this perversion of the cryptographic relationship. 
Indeed, the AT&T phone as originally conceived was an 
embodiment of Diffie’s vision. The users of the phone would 
not need to exchange secret keys beforehand. Instead, the 
two respective phone devices would furiously perform the 
calculations of a Diffie-Hellman key exchange, in order to 
settle on a secure DES key that would encrypt, and then 
decrypt, the actual conversation. No need for anyone else. 
You wouldn’t want anyone else. 


But the bounty offered to AT&T—and the chance to avoid 
a government confrontation—was too juicy to turn down. 
The phone company signed off on a deal: if the government 
would adopt a plan to make key escrow its standard, AT&T 


would forgo its DES scheme and install a government- 
designed chip in the device instead. This would be the 
stripped-down version of Capstone, using the Skipjack 
algorithm and the escrow features, but without the 
signature or hashing algorithms. It was given a new code 
name: Clipper. 


“We knew no decision would make everybody happy,” said 
an AT&T spokesperson. “But frankly, the Clipper Chip 
offered an important law enforcement issue and increased 
the level of protection.” More to the point, it also offered 
guaranteed sales, and the continued goodwill of one of 
AT&T’s major customers, the United States government (at 
the time, the company was negotiating a government 
contract worth over $10 billion). If key escrow became 
government policy, AT&T would happily be on board. 


But Clipper was still nowhere close to being the official 
government policy. Clint Brooks and the NSA needed one 
more big break before they could begin their journey 
toward Nirvana. That break came on November 3, 1992, 
when the United States went to the polling place and 
elected William Jefferson Clinton its president, with Albert 
Gore as his vice president. 


It might appear counterintuitive to think that those 
election results favored the NSA. After all, Clinton was a 
Democrat who had spent the Vietnam years speaking 
against the conflict instead of fighting in it. During the 
campaign, Clinton had visited Silicon Valley, and while he 
had made no promises, he indicated that his presidency 
would be a friend to private crypto. “He talked about how 
silly it was that there were export controls on off-the-shelf 
software,” remembers privacy advocate Marc Rotenberg. 
“He didn’t say ‘encryption’ specifically, but that’s clearly 
what he was referring to.” 


Another sign that Clinton might not be NSA-friendly was 
the nature of the people surrounding him. For instance, the 
head of his transition team was a former electronics 
lobbyist named John Podesta, who had vociferously 
supported the industry agenda of liberalizing export rules. 
Besides Podesta, Clinton’s minions included a number of 
people who seemed tuned into the hip and crypto-friendly 
cyber world. 


Chief among that contingent was the vice president 
himself—a self-styled computer aficionado to whom Clinton 
would delegate the ultimate decision on the cryptography 
issue. In fact, Al Gore’s presence as the nation’s second-in- 
command was often cited as proof that the new leadership 
team was a nerd-friendly future squad who “got” the new 
Internet paradigms. Their campaign speeches might have 
been about bridges to the future, but Gore’s vision was of 
an Information Highway to transform the country and 
indeed the globe. Gore arranged to bring some of the most 
techno-savvy Senate staffers to the White House to help on 
digital matters, people like Mike Nelson, a former MIT 
geophysicist experienced in Info-Highway issues. They were 
“extremely smart, conscious freedom-lovers,” wrote John 
Perry Barlow, who got to know them in his role as 
Electronic Frontier Foundation cofounder. “Hell, a lot of 
them are Deadheads. I was sure that after they were fully 
moved in, they’d face down the National Security Agency 
and the FBI.” 


Barlow had mistakenly assumed that because the Clinton 
staffers recognized the opening chords of “Sugar 
Magnolia,” they’d be immune to top-secret doom lectures 
from the star-spangled crypto boys at Fort George Meade. 
Behind the Triple Fence, the expectations were just the 
opposite. The spooks understood that Bill Clinton and his 
peach-fuzz tech squad were a godsend for the escrow idea. 


The Bush administration had never warmed to the escrow 
plan. The problem wasn’t so much that the Bush people 
were specifically against this particular scheme. They were 
against anything that required a little gumption. “The Bush 
people had spent twelve years in power, most of them with 
a Democratic Congress, and they knew that everything that 
could blow up, would blow up,” one insider explained. 
“When you presented something to them, you got nothing 
but eyes staring out.... You could sense that everyone was 
thinking, ‘How might this end up on my suit?’ ” 


In contrast, the Clinton people were policy joyriders, like 
teenagers finally granted their turn behind the wheel. They 
were totally juiced that after twelve years of dinosaur rule, 
they now had their chance to fix things. They were also 
detail freaks, eager to belly flop into the huge piles of 
clauses, footnotes, and trivia that embodied the process of 
governing. Present them with an idea and they surrounded 
it, tickled it, tore it apart to see its gears rattle, and 
wondered how they could make it work for them. They 
drew confidence from a belief that their own good 
intentions were obvious, and even if their efforts didn’t pan 
out, the public would give them credit for trying to do the 
right thing. 


The forces pushing key escrow didn’t even wait until the 
new administration reached the White House before they 
hit Clinton and Gore with the encryption problem. The 
AT&T phone threat provided an impetus. “Suddenly this 
wasn’t something where we could wait, do an orderly 
briefing of the new administration, let them get their feet 
under them, appoint their assistant secretaries, and make a 
decision in 1994,” says Stewart Baker. The idea of getting 
George Bush to sign off before vacating the White House 
had been considered, but rejected. “We believe that going 
forward with the installation of the Clipper Chip based on 


the approval of the current administration has some 
potential pitfalls,” wrote an FBI official to director Sessions 
in a late-1992 memo. What if the news of an “exploitable” 
chip leaked before the Clinton people formally approved the 
policy? “It might result in their being pushed toward 
disavowing the prior Bush administration approach in order 
to prevent the controversy.” 


Judge Sessions himself, whose fear of losing precious 
wiretaps had made him increasingly frantic on the issue, 
was the first one to hit Little Rock. “It had become his 
highest priority,” says a government official working for key 
escrow. “He was fearless in going to the transition team and 
saying, ‘You guys may be coming in January, but you’ve got 
to hear this now.’ ” In any case, the NSA was just as happy 
to let him lead. After all, Fort Meade’s stated role in 
government was not promoting policy decisions but 
providing technical background and intelligence 
information from its files. 


To frame the issues, the FBI, with the NSA‘s help, 
prepared a paper entitled “Encryption, Law Enforcement, 
and National Security.” The classified document was packed 
with high-impact scenarios of what might happen if crypto 
ran free. It discussed the AT&T device as a possible trigger 
for this onslaught. But the coming disaster might be 
averted. “The solution is an encryption chip that provides 
extra privacy protection (at least a million times stronger 
than DES) but one that can be read by U.S. government 
officials when authorized by law. ... This ‘key escrow’ 
system would protect U.S. citizens and companies from 
invasion of their privacy by hackers, competitors, and 
foreign governments. At the same time, it would allow law 
enforcement to conduct wiretaps in precisely the same 
circumstances as are currently permitted under the law.” 
While the description sounded very much like a panacea to 


an otherwise apocalyptic problem, the paper did include 
one possibly annoying consequence of the policy: “This 
concept undoubtedly will be vigorously attacked by those 
who fear law enforcement abuses and thus would rather 
rely on technology than on the court to protect their 
privacy.” But that seemed rather an easy trade-off to make. 
Which would you rather tolerate—a bit of flak from privacy 
nuts, or a powerful weapon in the hands of kidnappers and 
terrorists? 


Stewart Baker was the NSA’s point man on the issue, and 
wound up coordinating much of the effort to sell escrow to 
the incoming leadership. While Fort Meade was packed 
with geniuses, it wasn’t as loaded with people who were 
comfortable dealing with the outside world. Baker had 
come a long way since Clint Brooks had come to his office 
and first told him about Equities. In that time, he had 
gotten a good view of the cryptographic landscape from the 
NSA point of view. He saw where it all fit together. You 
couldn’t mandate what people inside the country used nor 
could you keep every copy of a program like PGP away from 
every geek on the globe. But realistically, not many people 
were going to take the trouble to find exotic encryption 
software like PGP and figure out how to use it. Export 
controls were the way you stopped good crypto—everything 
from DES on up—from being built into the systems people 
used every day, and thus, out of the hands of most bad guys. 


Baker saw the Clipper scheme as a way of weaning the 
government from its dependence on export controls to 
contain crypto. There were signs that Congress might not 
support those regulations indefinitely. The business 
community was getting louder and louder in its opposition 
to them. The problem was, the software industry had grown 
up in an environment with few regulations, and was now a 
multibillion-dollar colossus. It felt that the natural order of 


things was to fight things out in the marketplace while the 
government remained some distant entity. The techies 
seemed to regard the premier crypto agency in the world 
as some doddering, irrelevant artifact of the Cold War. 
Their philosophy was hey, technology happens. Baker was 
horrified once when a Microsoft middle manager blithely 
told Baker that Bill Gates was going to put crypto into the 
Microsoft operating system, that it was going to be in all the 
applications. Who cares whether it would empower 
terrorists or rogue nations? Their attitude was, “Encryption 
is cool, let’s put it anywhere.” 


The techies weren’t unpatriotic, Baker thought, just 
clueless about the very real dangers in the world. They 
thought it was a joke that crypto was classified along with 
heavy munitions. But the ability to listen in on the world— 
with a vast multibillion-dollar network of secret satellites, 
radar installations, and ground sensors—was a pillar of U.S. 
defense policy. How did they think we discovered those 
Libyan terrorists who brought down the Pan Am jet over 
Lockerbie? How else to keep track of the North Korean 
nuke program or Iraq’s use of chemical weapons against 
the Kurds? The public had only heard hints of the 
importance of those “intercepts,” signals snatched from 
telephone conversations, digital transfers, and even walkie- 
talkie transmissions. Most of it was classified, deep black 
stuff. That’s why there were no reporters when George 
Bush himself had ventured to The Fort to extend his 
personal congratulations to the codebreakers for their work 
during the Gulf War. Just what did the spooks do? If the 
public only knew. ... 


Baker and his fellow advocates of escrow thought it 
essential that the worldview taken by the new 
administration be a more realistic and tougher one. 
Encryption should be an important part of the Networked 


Society, sure, but you needed controls. You needed limits. 
You needed a way for the good guys to hear what the 
terrorists and crooks were saying to each other. 


Early in the campaign to win the hearts and minds of the 
Clinton people, Baker and Sessions briefed Leon Fuerth, 
who would become Al Gore’s national security advisor. 
Though Fuerth was cautious, the escrow advocates could 
see that their presentation had hit the mark. They thought 
they could see it in his face: the realization that the election 
Campaign was over and now the Clinton folks were going to 
be wrestling with some hard, hard issues. This was one that 
the NSA and the FBI could win. 


As December rolled on, the briefings continued. And not 
long after the inauguration, Al Gore himself got exposed to 
the religion by NSA director McConnell and Clint Brooks. It 
was a bull’s-eye for The Fort. Because Gore loved 
technology, he was able to appreciate the ingenuity of the 
key escrow scheme. A neo-Luddite Republican might have 
fuzzed out on those particulars, but Gore’s openness 
toward the idea seemed tied to his perception that these 
software gears and levers might actually work, providing a 
solution that gave something to everybody. 


As the Clinton-Gore teams shifted from transition to 
governing, the Clipper people stepped up the meetings. 
Memos flew between the NSA and NIST on how best to 
anticipate and respond to possible objections. They knew 
one potential problem: Fort Meade’s insistence on keeping 
the Clipper’s workings a secret from the public. Brooks 
tried to convince his colleagues to open up, but failed. His 
fallback plan was somehow to gin up some assurances that 
the NSA hadn’t intentionally weakened Skipjack for its own 
purposes. “Get a panel of academics from 
cryptomath/analyst community to examine classified level 


SKIPJACK to ‘assure’ it is valid/good algorithm,” he 
scrawled on a memo to his director on January 5. “Who 
should it be?” 


Meanwhile, in the White House, the barrage of briefings 
was having its effect. In their first weeks in office, Clinton 
and Gore hadn’t signed off on Clipper. But their staffs were 
coming to the conclusion that there was no other 
alternative. 


John Podesta was already on board. Maybe his personal 
tipping point came very early after the inauguration when 
some high-tech lobbyists came to visit him. At this point, 
civil libertarians and software industry people were still 
hoping that the new administration would act against the 
spooks and the cops and liberalize crypto export 
regulations. (If they’d known about the Clipper Chip they 
would have gone ballistic.) Podesta, still dazzled by the new 
toys in his office, showed them his STU-III phone, the 
standard-issue crypto phone the government had used for 
about five years. They sneered at it. “Typical clunky 
government solution,” they said. “But you know what’s 
cool? AT&T is going to make a device that’s half the size, 
much cheaper, and will do everything that one does, but 
better. You should buy those!” Though the high-tech guys 
didn’t know it, their comments resonated with the briefings 
Podesta had been getting. If the government didn’t do 
something, those damn devices probably would sweep the 
market. 


Not that the NSA/FBI Clipper cabal was relying on 
serendipity to bring the Clinton folks around. They were 
essentially stacking the deck, presenting a limited set of 
options to the greenhorns. Want to do nothing, and let the 
marketplace take its course? Fine. If you want to trigger 
crypto anarchy, that is. Doing nothing, they warned, would 


mean that AT&T would begin selling its phones and the next 
thing you knew the costs would come down and everybody 
would be talking on secure phones and e-mailing with 
crypto software. The smoke had hardly cleared from the 
World Trade Center bombing. What if another, maybe a 
worse, terrorist disaster came, and it turned out that the 
government failed to prevent it because the perpetrators 
were able to communicate with unbreakable crypto? You 
want to give Saddam Hussein access to ciphers we can’t 
break? Go ahead—do nothing. The blood will be on your 
hands. This terrified the Clinton people. 


The other alternative, which some law enforcement 
hardliners were urging, was even more extreme: ban 
crypto within the United States. In one of the FBI’s 
presentations, illustrated by a slide show with bullet charts 
to underline the salient points, the G-men merged their 
Clipper-related goals with their Digital Telephony vision. 
Essentially, the show said: because the domestic use of 
encryption is not regulated, there isa NEED FORA 
NATIONAL POLICY that allows “legitimate” users crypto 
strong enough to foil their adversaries but also “insures 
that cryptographic devices and systems are capable of real- 
time encryption by law enforcement.” The implication was 
unavoidable: any cryptography that does not meet that 
standard should be prohibited. Even stuff distributed by 
American manufacturers for American users. Otherwise, an 
intolerable “electronic sanctuary” would exist. Forget about 
the strategy of using export controls to mitigate what 
people used inside the country. ... Our nation was at risk 
because such tools were legally available to anyone 
motivated enough to find them. Just as it was illegal to have 
nuclear weapons lying around, it should be illegal to have 
codes that could fall into the hands of those who would 
destroy society with it. In a weird way, this sentiment 


echoed Phil Zimmermann: when crypto is outlawed, only 
outlaws will have crypto. 


The Clinton people did manage to resist that demand, 
which would have started riots in Silicon Valley and 
probably wouldn’t have survived a court challenge anyway. 
The Gore team in particular was sensitive to the idea that 
the emerging Information Highway needed privacy 
protections. Besides, how would you enforce such a ban? 
What did these guys want the government to do, go house 
to house and search people’s hard disk drives for copies of 
PGP? 


So, after being presented with two unpalatable 
alternatives, the Clinton people were offered a third way, 
one which, in contrast, seemed a compromise with which 
everyone could live. In retrospect, one administration 
insider came to see it as akin to the choices offered the 
Kennedy people on the invasion of Cuba—a cowardly 
evasion of the problem, a destabilizing full-scale military 
operation, or this other plan, a small operation at some 
place called the Bay of Pigs. 


The scheme was presented to the Clinton people as plug- 
ready, poised to go into operation as soon as the president 
gave the word. Even temporary inaction would mean a 
severe and probably lingering loss of respect from the law- 
and-order constituency the administration needed. One of 
the FBI men briefing the Clinton people was a burly, street- 
smart assistant director named James Kallstrom. Formerly 
head of the bureau’s technology team, he had made his 
bones in the bugging operation that took down John Gotti. 
Some people described him as the FBI’s version of “Q,” the 
gadget wizard of the James Bond films. He had an in-your- 
face style of briefing, making eye contact and personalizing 
his rap. Are you married? Do you have a child? he’d ask. 


Then he’d launch into a scenario in which someone had 
kidnapped one of your kids and was holding him in a 
fortress up in the Bronx. The bureau suspects your kid is 
there; they have a search warrant to find him. But the 
crooks have constructed the fortress out of some new metal 
that can’t be penetrated. Your kid’s potential rescuers can’t 
get in. What a nightmare: the kidnappers, with their 
precious hostage, watching you and the G-men trying to get 
in and Jaughing at you. 


“That’s what the basis of this issue really is,” Kallstrom 
would say in his New York accent. “From the standpoint of 
law enforcement, there’s a super-big threat—this guy is 
gonna build this domain in the Bronx right now, because 
he’s got a big steel door, and none of the welding torches, 
none of the boomerangs, nothing we have is gonna blast 
our way in there. Sure, we want those new steel doors 
ourselves, to protect our banks, to protect the American 
trade secrets, patent rights, technology. But do we want a 
digital superhighway where major criminals can operate 
impervious to the legal process? If we don’t want that, then 
we have to look at Clipper.” 


Kallstrom, along with Baker, Brooks, McConnell, and the 
CIA's John Deutch, became part of the key escrow team 
ostensibly briefing the administration on its options, but 
really steering it, with one hand on the scruff of its 
Democratic neck, toward an inevitable embrace of Clipper. 
One unexpectedly ally was commerce secretary Ron Brown; 
in the first briefing he attended, Brown mentioned that his 
army days had been spent at an NSA listening post, and he 
was fully aware of the vital importance of signals 
intelligence. By now the briefings included not only national 
security people but the Clinton-Gore science staffers like 
the Office of Science and Technology Policy’s Mike Nelson, 
infonauts well attuned to issues like personal privacy and 


the industry’s need for secure systems. (Nelson got his top- 
secret clearance in a lightning-quick three weeks.) Ina 
January 26 FBI briefing, Kallstrom laid out a lot of the fine 
points of the scheme, but Gore’s senior director on 
intelligence programs, George Tenet, had further questions 
on the Clipper methodology. Who would be the key escrow 
agents? How would the international aspects be handled? A 
lengthy February 9 memo from Judge Sessions gave a 
detailed summary of the plan and the dire implications that 
would ensue if no action was taken. 


So, barely a month into the Clinton administration, the 
pressure was intense to move on Clipper. Supposedly, AT&T 
would ship ten thousand DES-equipped phone devices by 
April 1 if no action was taken. But by then, the 
administration’s crypto team—consisting of national 
security people and Internet specialists—had almost 
imperceptibly shifted from decision making to 
implementation. It was their first big initiative, and they 
wanted it done fast: the word “closure” kept popping up in 
their correspondence. A typical internal memo, dated 
March 5, was from George Tenet to Gore’s national security 
advisor Leon Fuerth and his colleague William Wise: the 
header read “HELP HELP HELP” Then, “Desperately need 
time from the VP”—for a meeting with the past and current 
NSA directors on the encryption issue. “I think I know what 
the VP wants to hear McConnell/Studeman talk about,” 
Tenet continued, finishing with the odd closing, “God bless 
you all.” 


All through March, the meetings continued. Meanwhile, 
industry and civil liberties groups were lobbying the 
newcomers, still hoping that the new administration would 
be amenable to considerable reform on crypto. “You’re 
holding back e-commerce, you’re endangering the security 
network, and besides, it’s all out of control, anyway!” one of 


them shouted at Gore’s people. But the Clinton people had 
already mentally aligned themselves with the government 
insiders at the NSA, the FBI, the Justice Department, and 
the CIA. The classified briefings had done the trick, 
particularly the warning that if no action was taken, people 
will die. Are you willing to sacrifice human lives, they were 
asked, for a fraction of a decimal point rise in the GNP? The 
tack was devastatingly effective: the dilemma was 
essentially resolved by framing it as a choice between 
thousands of people dying and Bill Gates being 10 percent 
richer. “That’s a pretty easy decision,” says an 
administration official. 


Not that there weren’t qualms within the White House. 
The biggest question the Clinton aides asked themselves 
was, “Why would anyone want Clipper?” (After all, the plan 
was supposed to be voluntary.) Another problem was the 
requirement that the Skipjack algorithm remain under 
wraps. It was inevitable that its secrecy would lead critics to 
charge that the scheme was a Trojan horse to bring flawed 
crypto into the infrastructure. But the NSA wouldn’t budge 
on secrecy. 


Finally, there was the problem of how the key escrow 
scheme would play overseas. If a crypto solution was not 
global, it would be useless. If buyers abroad did not trust 
U.S. products with the escrow scheme, they would eschew 
those products and buy instead from manufacturers in 
Switzerland, Germany, or even Russia. And how could you 
handle key escrow in other countries? Should the United 
States allow access to stored keys to free-speech- 
challenged nations like Singapore, or China? And would 
France, Egypt, Japan, and other countries be happy to let 
their citizens use products that allowed spooks in the 
United States to decipher conversations but not their own 
law enforcement and intelligence agencies? The answers to 


those questions were not forthcoming because the planners 
of Clipper never did work out a solution to its global 
implications—another consequence that came with rushing 
Clipper out of the door. 


None of those objections were sufficient to sink the plan. 
At six in the evening on March 31, 1993, in the White House 
Situation Room, Vice President Gore went over the 
proposed directives in a meeting that included the whole 
gamut of law enforcement, intelligence, and national 
security leaders. Not long afterward, he briefed the 
president with his recommendation. Bill Clinton agreed. 


Clipper was a go. 


From that point the operation shifted to what one 
participant calls “White House Marketing.” Press releases 
were drafted. Mike Nelson set about writing an explanation 
of the proposal in question-and-answer form. Then on the 
eve of the announcement itself, the White House prebriefed 
a number of representatives from Congress, industry, and 
the civil liberties groups on the issue, not so much to collect 
feedback as to forestall charges that the Clinton people had 
blindsided them with the abrupt change in course. 


Still, no one at the White House anticipated a major 
clamor over Clipper. But Clint Brooks saw trouble coming— 
this issue had the potential to leak outside the Beltway, to 
make real enemies out of potential sympathizers. They just 
don’t get it, he complained to Stew Baker on one drive 
between Fort Meade and the White House. At one meeting, 
he asked, “Who’s going to handle this on Larry King Live?” 
His question was ignored. A few minutes later, he repeated 
it. A senior administration official sternly told him, “Clint, 
we appreciate your sense of humor but this is really serious 
—you handle the technical stuff and we’ll handle the 


political stuff.” (Some months later, when Al Gore appeared 
on Larry King Live to talk about the Information Highway, 
the first question posed to him was about... the Clipper 
Chip.) 


The briefings with Congress and industry went pretty 
much as expected: the proposal was received cautiously, 
even skeptically, but not dismissed out of hand. One 
legislative staffer complained that when the Clinton people 
were Challenged, they went on the offensive. “Do you want 
to be responsible for kidnappers?” the Clintonistas would 
ask, and the legislators would crumble. The sessions with 
civil liberties groups weren’t so cordial. John Perry Barlow 
of the Electronic Frontier Foundation got one of those last- 
minute briefings and couldn’t believe his ears. He felt that 
his new friends in the White House had been “drinking the 
Kool-Aid,” a national security version of Jonestown. What 
particularly offended him was Mike Nelson’s invocation of 
the classified information he had heard and Barlow had not. 
“If only I could tell you what I know, you’d feel the same way 
I do,” Nelson said. Thousands could die, he confided. 
Barlow felt he was hearing the same phony music that had 
been sung by the Vietnam warmongers. What Clipper really 
represented, he felt, was a plan that would “initiate a 
process that might end freedom in America.” 


Then there was Clint Brooks’s effort to get outside 
experts the information necessary to explain the benign 
nature of the system to the public. The night before the 
announcement, Brooks himself ventured through a driving 
rain to brief Georgetown computer science professor 
Dorothy Denning, his first choice to lead the panel to vet 
the classified Skipjack algorithm. It would be an inspired 
choice. Denning was an expert on crypto and computer 
security but her demeanor was as benign as Betty 
Crocker’s. (Science fiction writer Bruce Sterling once 


described the diminutive woman as “something like a 
Pilgrim maiden behind leaden glass.”) She was already on 
the record as supporting the regulation of cryptography, 
and coincidentally at the time of Brooks’s visit had just 
experienced an awkward situation in which she’d been 
unable to get into her locker after a swim in the university’s 
indoor pool; only helpful maintenance men with heavy-duty 
cutters (the equivalent of escrow agents!) saved her from 
venturing into forty-degree weather in her wet bathing suit. 
Not only was she ready to defend key escrow, she came to 
feel it was her destiny. 


On April 16, President Clinton unveiled the new initiative. 
In his press secretary’s announcement of the plan, the issue 
was presented to the public as a middle ground between 
two dreadful extremes—much as the situation had been 
presented to the administration by the NSA. Seen through 
that filter, the Clipper Chip was to be regarded as a 
godsend: 


The chip is an important step in addressing the 
problem of encryption’s dual-edged sword: 
encryption helps the privacy of individuals and 
industry, but it can also shield criminals and 
terrorists. We need the “Clipper Chip” and 
other approaches that can both provide law- 
abiding citizens with access to the encryption 
they need and prevent criminals from using it to 
hide their illegal activities. 


The actual announcement did not establish Clipper as a 
standard, but it did affirm that the government itself was 
committed to buying thousands of the AT&T Clipper-inside 
devices for its own agencies. The hope was that while 


Clipper was designed to be a voluntary standard, its 
adoption and endorsement by the government would tip the 
marketplace to make it ubiquitous. The ultimate 
recommendation would come after Clinton received the 
results of a widespread blue-ribbon review on the national 
crypto policy that would look at the escrow initiative and 
reevaluate the export laws. 


With that announcement, Bill Clinton and his people felt 
that they had made a big step toward avoiding what 
seemed like a disastrous collision in the crypto world, one 
that had seemed predestined since the day that Whit Diffie 
figured out how to split the cryptographic key. In fact, the 
Clipper Chip did mark the turning point in the battle, but 
not at all in the way the Clinton administration had 
intended. By promoting Clipper as its key escrow flagship, 
the government profoundly erred. Instead of a nuanced 
debate on encryption, from that point on the merits—and 
drawbacks—of this particular scheme would become the 
main crypto battleground. Clipper itself was the issue, and 
Clipper as proposed was vulnerable. And Clint Brooks, who 
was more than anyone its architect, saw what was 
happening, but was powerless to prevent it. 


At first, things didn’t look so bad. From the vantage point of 
the White House and Fort Meade, it appeared that what 
relatively little public attention the Clipper Chip had 
garnered was fairly balanced. The New York Times article, 
published on the day of the announcement, had set a 
reasonable tone, right from its lead. The Clinton 
administration was “about to announce a plan to preserve 
privacy in electronic communications... while also insuring 
the government’s right to eavesdrop for law enforcement 
and national security reasons.” Balance. Of course, the 


article did quote one industry representative as saying, 
“The government is creating a monster.” 


In the days following, there was no rush to embrace the 
plan by the various stakeholders who might be affected by 
it. The feds took succor, though, in the lack of a widespread 
outcry against it. The Internet, of course, was buzzing with 
fears of police-state tactics, but on the other hand, Dorothy 
Denning had almost immediately posted a clear-headed 
description of the system itself and was already serving as 
an example that the crypto community was not universally 
anti-Clipper. Better yet, an unexpectedly friendly 
description of the plan came from Marty Hellman, whom 
Brooks had briefed by phone on the eve of the 
announcement. Hellman’s explanation of the scheme was 
cautiously neutral (though he did warn that there should be 
safeguards in the legal process leading to key retrieval), 
and was posted on the influential “Interesting People” 
mailing list run by Net gadfly David Farber. 


On April 20, Clint Brooks wrote a memo reflecting his 
optimism. “The reactions I am getting from academic and 
industry people is that this may succeed,” he wrote. So 
much so, these people were telling him, that the 
government may have not allocated enough digits in the 
chip identification fields to handle all the Clippers that 
would come into use. A hundred million would not be 
enough! 


But that initial success was illusory, like a second-rate 
baseball team sitting in first place after a lucky string of 
April wins. The first serious rumbles came from the crucial 
information industries. After going over the plan, they 
concluded that the opportunity it offered to build strong 
exportable crypto into their systems was more than 
canceled out by the presence of the Law Enforcement 


Access Field, which provided keys to government snoops 
with warrants. The point of exporting crypto, after all, was 
to serve customers overseas. But what foreign companies 
wanted to buy a security system where the keys were 
stored in United States government escrow facilities? The 
business leaders joined with the already skeptical civil 
liberties people and fed on the energy of the grassroots 
Internet folk, who’d hated it from the get-go. Then they all 
took their case to the media. Though the reaction took a 
few months to build, the Clipper coverage eventually 
exceeded all the publicity that any previous cryptological 
development had ever received. 


Little of it was favorable. All the time the government was 
planning its key escrow initiative, its creators had implicitly 
believed that only an isolated few would question their 
motives. They saw the selling of Clipper as a process by 
which responsible people would have a number of 
concerns, and the government would respond to those. One 
prime concern, they figured, would be a fear that the 
mechanics of the escrow scheme would somehow 
compromise the security of the encryption itself, making it 
easier for crooks and spies from other countries to do the 
unscrambling. Another would be that the key escrow 
facilities themselves might be vulnerable. What this 
thinking didn’t account for was that the very basis for the 
scheme—a government means by which to flip the 
“descramble” switch for its own purposes—was offensive to 
most people. All opponents had to do was use a simple 
analogy—What if you had to leave a copy of your front door 
key at the police station?—and even a Joe Sixpack who 
didn’t know encryption from a forward pass would be an 
anti-Clipper convert. “The idea that government holds the 
keys to all our locks, even before anyone has been accused 
of committing a crime, doesn’t parse with the public,” 
explained Jerry Berman of the EFF. “It’s not America.” 


Others didn’t need such analogies. One of the basic 
reasons many people wanted to use crypto was to keep 
information from the government itself. Not that they were 
necessarily lawbreakers. They simply didn’t trust the 
government. The bureaucrats who made the plan were a 
generation removed from Watergate, but anyone who had 
been around in the seventies might have known better. 


Former NSA director Bobby Inman, for instance, got an 
early briefing on the Clipper Chip and he sensed right away 
that it was doomed. Who wanted to give the government a 
direct pipeline to your information? The cypherpunks 
understood this, and immediately initiated a guerrilla 
campaign to infect the media and the general population 
with the anti-Clipper message. At their monthly meeting, 
Eric Hughes solicited an agenda of possible actions 
including everything from advocacy press kits to stumping 
for a procrypto constitutional amendment. Tim May 
suggested active sabotage of Clipper, or a boycott of AT&T. 
One effective prank they did pull off was distributing a little 
decal to stick on your laptop. Designed to resemble the 
famous Intel Inside logo, it read, “Big Brother Inside.” That 
pretty much said it all. (Intel quickly threatened to sue for 
trademark infringement, and the offending cypherpunks 
stopped distributing the stickers.) 


Opposition came from all quarters. The ACLU found itself 
agreeing with Rush Limbaugh, who attacked Clipper on his 
radio show. Digital hippies savored the William Safire 
column “Sink the Clipper Chip,” where he noted that the 
solution’s name was well chosen, “as it clips the wings of 
individual liberty.” 


Tim May often expounded a theory that Americans are of 
two minds when it comes to privacy. One involves the public 
interest and was essentially anticrypto: “What do you have 


to hide?” The other expresses the individual ethic of the Bill 
of Rights, and is proprivacy: “None of your business.” Any 
successful policy has to walk down the middle of those 
opposing sentiments. But Clipper, in its insistence that 
nothing should be hidden from the government, never 
established that balance. Once people began calling it the 
Big Brother Chip, the game was over. 


The government did its best to defend the scheme. 
Stewart Baker briefed industry figures including crypto 
advocate Bill Gates, to little avail. He went into the lion’s 
den, speaking at procrypto events like the Computers, 
Freedom, and Privacy conference—where he belittled the 
anti-Clipper forces to their faces, calling their actions, “the 
revenge of people who couldn’t go to Woodstock because 
they had too much trig homework.” He taunted them with 
the “If you knew what I know” argument. Your view of 
privacy, he told them, reflects a hopelessly naive view of the 
world. “By insisting on having a claim to privacy that is 
beyond social regulation, we are creating a world in which 
[crooks and terrorists] will flourish and be able to do more 
than they can do today,” Baker warned. 


Not all the news was bad for the government. In the 
summer of 1993, the Skipjack algorithm was deemed 
strong by the team of “independent experts” led by Dorothy 
Denning and including Walt Tuchman (who had led IBM’s 
DES team) and Ernie Brickell (who had picked up the 
$1000 reward for cracking Merkle’s multi-iteration 
knapsack cipher). Denning had become so fierce in her 
defense of the government, clearly articulating a position 
that posited the dangers of crypto anarchy, that critics were 
calling her “Clipper Chick.” Her disinterested status made 
her more effective in public forums than the 
administration’s battered tech squad, which was beginning 
to regard its appearances at Internet-related conferences 


with all the enthusiasm of dental surgery. Who could blame 
them, as question after question drilled in the reality that 
their natural constituency of tech-savvy “Netizens” now saw 
them as virtual brownshirts? The White House’s Mike 
Nelson came to refer to crypto as “the Bosnia of 
telecommunications.” 


Still, Clipper seemed cursed. At every turn a new problem 
cropped up. For example, not long after the announcement 
of the plan, the government heard from an MIT professor 
named Silvio Micali. Micali, who worked in MIT’s 
mathematics and cryptography group (led by Ron Rivest), 
had devised some mathematical protocols he called “Fair 
Cryptosystems” that seemed similar to the government’s 
key escrow scheme. He had published a paper on them in 
1992 and had gotten a patent for them. The government 
quietly paid Micali a million dollars to license his patent. 


Even the chip’s name proved to be a problem. “Clipper 
was our cover name, a Ja NSA normal operations,” Brooks 
wrote in an early 1992 memo. “I tried to get people not to 
use this outside the agency, but the policy makers and their 
staffs found it so convenient to use that it stuck.” 
Unfortunately, a company named Intergraph was already 
selling a microprocessor it called Clipper, and the United 
States had to pay a considerable sum to buy the rights to a 
moniker that was well on its way to what marketers call a 
brand disaster. 


Other problems were purely technical. The chipmaker 
Mykotronx was a government and commercial contractor 
unaccustomed to the demands of the consumer 
marketplace, and its chip wasn’t built to accommodate 
high-bandwidth data rates. In its haste to get the Clipper 
Chip into the AT&T phones, the NSA had created a product 
that might have been adequate for the communications 


technology of 1993 but was woefully inefficient for the high 
speed of information flow in the glistening future that would 
arrive, oh, two years or so later. In other words, as critics 
noted with withering irony, by the time a security company 
took the fifteen to eighteen months to build a product 
around Clipper, the hardware would be obsolete. 


Did anyone like Clipper? As part of the process, NIST had 
been required to solicit public comment on the plan. Three 
hundred and twenty individuals and organizations 
responded; of those, only two agreed with Clipper. “This is 
not a Hall of Fame batting average,” conceded NIST official 
Lynn McNulty. 


But the Clinton people would not budge. On February 4, 
1994, the president formally endorsed Clipper—known as 
the Escrow Encryption Standard—as a Federal Information 
Processing Standard. The government would immediately 
start buying Clipper-equipped AT&T phones for its own use, 
escrowing keys with NIST and the Treasury Department. 
(This despite the fact that the technology did not yet 
actually exist to perform decryption of keys retrieved from 
the as-yet-nonexistent escrow facilities.) 


“The War is upon us,” wrote Tim May. “Clinton and Gore 
folks have shown themselves to be enthusiastic supporters 
of Big Brother.” 


In the Senate, Patrick Leahy, among others, vowed to 
fight Clipper, insisting that without congressional approval 
the project could not be funded (setting up the program 
would cost $14 million, with an annual $16 million 
budgeted for the escrow facilities). In May 1994 he held 
hearings. In rare public appearances, Clint Brooks and 
Mike McConnell presented the view from behind the Triple 
Fence, essentially congratulating the administration for 


taking the right approach. “There are, to be sure, issues to 
be ironed out,” concluded McConnell. “But I am confident 
we will work out the wrinkles.” 


Then a panel of opponents showed those “wrinkles” to be 
approximately the size of the Colorado River basin. 


One tough question they posed: Who would want to use 
Clipper, when there were already programs like PGP 
readily available? The government’s response had been the 
“stupid crook theory,” best explained by the FBI’s Jim 
Kallstrom, who professed to have himself heard mobsters 
on wiretaps make jokes about being wiretapped—and then 
engage in incriminating conversations, simply because it 
was too awkward to go outside and use a pay phone. “If in 
five years this catches on and people put Clipper in their 
devices, a high percentage of criminals will go to a Radio 
Shack or some other place like that to buy some sort of 
encryptor,” he said. “They’re not going to remember that in 
1994 some article [appeared] in the Wall Street Journal 
[about key escrow]. Maybe in the fine print somewhere it'll 
say Clipper something. But it’s not going to be readily 
apparent—it’ll be part of the landscape. That’s what would 
be our desire.” 


OK, so stupid crooks might use it. But the antigovernment 
witnesses noted that if smart criminals eschewed Clipper, so 
would the overseas customers who were crucial to its 
adoption. What was in it for France or Japan or Indonesia to 
sign on to a plan where the keys to their citizen’s private 
conversations—possibly involving invaluable business 
secrets—were held jointly by two branches of the United 
States government? 


Perhaps the most persuasive witness was Whit Diffie. He 
testified not only as one of the inventors of public key but as 


a representative of one of the ad hoc organizations lobbying 
against Clipper, the Digital Privacy and Security Working 
Group. Diffie tried to put the issue into historical 
perspective. Governments had been similarly concerned 
with previous revolutions in telecommunications, like the 
transatlantic cable and the advent of radio. Despite fears 
that governments would lose sovereignty, these 
developments turned out to prove tremendously useful to 
governments. Computer communications, too, would 
probably, on the whole, increase government power. But 
the United States seemed loath to allow any of that power 
to accrue to its citizens. While the government claimed only 
the desire to retain its current ability to wiretap, the fact 
was that during the time of the founding fathers, privacy 
was easily obtained simply by walking out of the earshot of 
others. “It seems that the right... of the participants to 
take measures to guarantee the right to speak privately can 
hardly have been in doubt, despite the fact that the right to 
speak privately could be abused in the service of a crime,” 
said Diffie. Today, of course, people communicate largely by 
electronic means, from the telephone to the computer. 
Could it be that the government has the right to deny the 
possibility of privacy in those conversations? “The 
legitimacy of laws in a democracy grows out of the 
democratic process,” Diffie told the senators. “Unless the 
people are free to discuss the issues—and privacy is an 
essential component of many of those discussions—that 
process cannot take place.” 


Not long after the Senate hearings, Clipper suffered 
perhaps the worst blow of all. It came not as a tirade in 
Congress, an attack by an industry representative, or a 
screed from a cypherpunk. It was the result of a scientific 
experiment conducted by a formerly obscure research 


scientist named Matthew Blaze. Essentially, he made the 
Clipper Chip look stupid. 


Blaze was a New York kid, a classic science nerd. He’d 
dropped out of a preppy private school, worked for a while 
as a paramedic (the first person hired by the city’s 
emergency medical service without a driver’s license), then 
drifted back to college, earning a degree in two seemingly 
incompatible sciences: computer and political. At graduate 
school at Columbia, he began seriously thinking about 
crypto. Talking to his officemate, a guy named Stuart Haber, 
who had devised a way to use public key to time-stamp 
documents digitally (providing an electronic equivalent to 
the old trick of postmarking a letter to affirm its age), he 
realized that crypto was both a way to tackle important 
mathematical problems and a practical lever to change 
society. Blaze was also a big believer in privacy rights. 


After switching to Princeton and getting a Ph.D., he went 
to work for the small crypto group at AT&T’s Bell Labs 
research facility. Blaze began working in areas of 
encryption other than algorithms. His group was more 
concerned with basic research than AT&T’s secure system 
group in North Carolina, which had produced the TSD 3600 
device that was slated to be the Clipper phone. In fact, he 
found out about Clipper by reading the newspaper like 
everyone else. 


But as the Clinton administration was readying its 
February 1994 endorsement of the escrow standard, it had 
initiated a series of technical briefings that included the 
Bell Labs crypto group. Several NSA scientists came to 
New Jersey for a briefing. Though the group could 
generally be described as anti-Clipper—besides the privacy 
implications, as cryptographers they were offended at the 
security risks of sending a key to a third party—“we 


managed to be on our best behavior,” says Blaze, “not 
letting the meeting degenerate into whether this is a good 
idea.” Afterward, he asked if he could post a summary of 
the meeting to the Internet, and Blaze stuck to the facts in 
that as well. 


This impressed people behind the Triple Fence, who 
apparently thought Blaze could be another valuable outside 
tester of Clipper technology. They invited him and a 
colleague to Fort Meade to get a prototype of Tessera, the 
smart-card-based version of the escrow system. (Tessera 
was to be a portable version of the whole-enchilada 
Capstone cryptosystem that Clint Brooks favored over the 
limited Clipper Chip.) Never having been there, Blaze was 
excited. He was given the standard visitor’s badge with a 
sensor that tracked him through the building: when his host 
took him through he had to keep facing security cameras 
and assuring some unseen guard that Blaze was with him, 
and a disembodied voice said, “Okay, thank you.” Even 
between the briefing room and the bathroom this happened 
a couple of times. “They didn’t actually follow me into the 
bathroom,” Blaze says. When the Bell researchers left, they 
were given Tessera cards, a stack of manuals, and NSA 
coffee mugs. 


Blaze immediately began testing the system, focusing on 
the Clipper aspects of the device. Unlike Dorothy Denning’s 
team, which had focused on Skipjack, Blaze wondered 
whether there was a way to actually use the strong 
encryption while defeating the escrow feature. In other 
words, could a crook, terrorist, or someone just wanting 
privacy use Clipper’s crypto without being identified? He 
focused his efforts on studying the Law Enforcement Access 
Field. “I wasn’t even thinking of it as a potential weakness,” 
he says. “But it turned out that the obvious way of defeating 


the LEAF was pretty much the first thing you would initially 
think of.” 


Using a card reader and a little program that simulated a 
wiretap, he began testing. The simplest things—altering the 
code so you wouldn’t send the identifier, or sending some 
other number in place of the identifier—didn’t work. But it 
took only a bit of thought to come up with slightly more 
complicated ways that did work. The breakthrough came 
when Blaze, poring over the manuals, noted that the 
“checksum” in the LEAF was only 16 bits long. (The 
checksum is the way to verify that the proper LEAF, 
including the chip identifier and session key that encoded 
the conversation, was indeed sent off to the authorities. The 
proper number in the checksum is like an “all’s clear” that 
says everything is OK. If there was some way of creating a 
counterfeit LEAF with a legitimate checksum, in effect you 
would have defeated the Clipper system. The encryption 
would work, but the wiretappers wouldn’t have the proper 
session key to decrypt the conversation.) 


“Sixteen bits isn’t a very big number these days, 
computationally,” Blaze says. Within a few hours he hacked 
up a “LEAF-blower,” a quick program that could send out 
every possible combination (2 to the 16th power) of 
checksum numbers, then hooked it to his test system. He 
really didn’t expect it to work—it seemed so easy. But it did 
work, each time he tried it. In no more than forty-two 
minutes, he was able to send out a checksum that spoofed 
the escrow system into mistakenly assuming he was 
sending out the data that could lead investigators to the 
escrowed key—when in fact that data would lead them 
nowhere. Instead, the wiretapper would be faced with a 
conversation encrypted by the powerful Skipjack algorithm, 
deemed uncrackable by the NSA itself. (He also found a way 


in which two people conspiring to defeat the LEAF system 
could do so even more quickly.) 


What Blaze did not know was that the small checksum 
Space was no accident but an artifact of the haste with 
which Clipper was prepared. During the hurried design 
process the NSA engineers consulted with various technical 
experts at telephone companies, and were warned that with 
wireless phones, any system that required transmission of 
too many bits would be deemed impractical. So the LEAF 
field was limited to 128 bits. Of that, 32 bits had to be used 
for the chip identifiers, leaving only 96 bits for an actual 
encryption key and the checksum. The NSA wanted a large 
checksum, but the FBI insisted on using 80 bits so the full 
session key would be transmitted. (An alternative may have 
been to leave off some of the key bits and allow the FBI to 
complete the decoding by a brute-force attack. If, for 
instance, eight bits had been diverted from the keyspace to 
the checksum, the FBI could have run through a mere 256 
different alternatives to find its key—but Blaze’s attempt to 
crack the checksum would have taken not 42 minutes, but 
more than a week. That’s a long time on hold.) 


In a few days, Blaze sent a draft paper of his findings to 
his colleagues at Bell Labs. Most of them couldn’t believe it. 
“Are you sure about this?” they asked, suggesting he 
recheck his work. He did. Then he began the more delicate 
process of checking it with outsiders. One morning Blaze 
girded himself and sent a fax of his draft to Fort Meade. 
Right after lunch he got a call back, affirming his results 
were technically correct. 


“What are you planning on doing with this?” asked his 
NSA contact. 


Blaze took a deep breath. “I’d like to publish it.” 


To his surprise, no objection was raised. His NSA reader 
did point out a couple of errors in numerical transcription 
and one grammatical error. Now all Blaze had to do was get 
an okay from his employer—who had millions of dollars 
riding on its Clipper phones. Though there were some who 
wanted to bury the paper, eventually Blaze managed to 
convince his bosses that it would be impossible to keep his 
findings secret, so they shouldn’t even try. In any case, John 
Markoff of the New York Times had already gotten wind of 
the work. Blaze got permission to send him a draft, so that 
whatever story ran would be accurate. Markoff called back 
for some clarification and a few hours later called back 
again and asked Blaze a strange question: how newsworthy 
did he consider the story? Blaze felt that it was indeed a 
story—it showed how rushed the NSA was to get its system 
out, and emphasized how dangerous it was to foist 
something half baked on the public—but not a front-page 
story or anything like that. Not long afterward, Markoff 
called again, almost apologetically, and said that it had been 
a slow news day so the story was going to be more 
prominently placed. Blaze figured that meant it would lead 
the business section. 


He’d heard that you could get the next day’s paper at 9 
pm. if you went to the Times Building, and he was curious 
enough to do so. After opening the paper, he went through 
it and was disappointed to find nothing. “It hadn’t occurred 
to me to even look on the front page until I had gotten out 
of the building.” But there it was—leading the entire paper 
on the sweet spot in the rightmost column of page one, 


j- tt a” 
headlined FLAW DISCOVERED IN FEDERAL PLAN FOR WIRETAPPING. 


This was significant in several ways. First, though the flaw 
itself could be fixed—and arguably didn’t compromise 
security much—the very fact that such a weakness existed 
put a permanent taint on a system dependent on public 


trust. But perhaps more important was that the former 
backwater, mumbo-jumbo subject of crypto had raised its 
profile so high that even a moderate development like 
Blaze’s crack could be seen by the Times editors as the 
most important story in the world that day. What made this 
dry topic sexy was the whiff of a Big Brother who couldn’t 
even program correctly. The government unintentionally 
played into that role when an imperious NSA official 
insisted that Blaze’s attack, while feasible, was unlikely in 
practice—not a particularly comforting assurance for the 
nation’s cryptographic caretaker. Much stronger was Marty 
Hellman’s assertion, “The government is fighting an uphill 
battle.” 


Meanwhile, after some initial supply problems, the 
government was already starting to use Clipper phones. 
(The more comprehensive Capstone chips, designed to 
escrow computer communications, were late in entering 
the pipeline.) Approximately once a week, four couriers 
with security clearance—two each from NIST and the 
Treasury Department—flew from Washington, D.C., to 
Torrance, California, to the so-called programming facility 
at Mykotronx headquarters. (The redundancy was 
intentional, conforming to the Two-Person Integrity Protocol 
also used for nuclear weapon controls.) Once inside they 
waited while a Sun workstation did its work, first 
generating the unique cryptographic keys that would be 
blown into the MYK-78 (Clipper) chips, then splitting the 
keys into two parts and creating two stacks of floppy disks, 
each one with a set of partial keys. To reconstruct the full 
keys inside the chips required both sets of disks. 


Backup sets were produced by the same method. Then 
the disks were separated, each one going with a pair of 


couriers. A plastic seal went over the disks. When the 
couriers returned to their respective agencies, the disks 
were placed in double-walled safes meeting government 
standards for classified materials. A set of the backups went 
in another safe. And there they waited, about 20,000 key 
splits by May 1994, sitting undisturbed while the war over 
Clipper continued. 


In late January 1994, the Computer Professionals for 
Social Responsibility had written a letter to the president 
urging that he rescind the Clipper proposal. It was cosigned 
by privacy experts, industry figures, academics, and 
cryptographers, and supplemented by signatures gathered 
over the Internet. Within a few months, the petition—one of 
the first Internet political protests—boasted over 47,000 
endorsers. While a skeptic might dismiss this as a result of 
overheated Net-heads, a New York Times/CNN poll showed 
that the government had clearly suffered a Custer-sized 
rout in the public relations arena. Eighty percent of the 
American public now opposed Clipper. 


Not that it did any good. The administration was betting 
that the export regulations would prevent strong crypto 
from being built into products that people routinely used, 
and key escrow would be the only game in town. But 
Congress had the power to change those regulations. And 
pushing hardest on the issue was a thirty-eight-year-old 
single woman in her first term in Congress. 


Maria Cantwell was a daughter of an Indiana politician. 
She’d moved to Washington State in her twenties, served in 
the legislature there, and in 1992 pulled off a successful 
run for the House. Her district, consisting of part of Seattle 
and the towns east of Lake Washington, was loaded with 
high-tech companies, from Nintendo to Microsoft. So when 
choosing a committee to serve on she focused on one of the 


software industry’s main concerns, exports, and requested 
the Foreign Affairs Committee—specifically, its 
subcommittee on economic policy, trade, and environment. 


She’d hardly gotten familiar enough with the House to 
find the cloakroom when the Clipper announcement hit. It 
infuriated her big high-tech constituents, and she began to 
look more deeply into the problem, particularly at the 
export regulations. She worked closely with the affected 
software companies, not only those in her district like 
Microsoft but others like Lotus. The more she learned about 
the export regulations of crypto, the more absurd they 
seemed in the computer age. They can’t be so myopic to 
think cryptography is a munition, she’d say to Sam 
Gejdenson, the subcommittee chair and one of her 
legislative mentors. If they continue, you won’t be able to 
get protection on the Internet. 


Meanwhile, the export situation was at a standstill. In 
1992, some of the leaders of the new industry, like Lotus’s 
Ray Ozzie and Microsoft’s Nathan Myhrvold, had spent an 
incredible amount of energy negotiating a deal with the 
NSA. The talks were a classic culture clash. The software 
guys thought it absurd that government was attempting to 
contain bits of code within national borders, when 
algorithms with the same ciphers were openly published in 
countries from Germany to Russia. It was the worst sin 
among nerds: illogical behavior. Or was it? “Don’t you 
realize,” Myhrvold once asked one of the spooks in a 
briefing session, “that you’re like the little Dutch boy, trying 
to use your fingers to plug the dike against a sea of strong 
crypto?” 


His tormentor smiled. “Every day the dike doesn’t break,” 
he said softly, “is a victory.” And it was true. Sure, the crypto 
genie had escaped the bottle. But if you throw enough 


obstacles in the genie’s way, it’ll take him a long time to 
perform any magic. 


Finally, all that energy resulted in a temporary 
compromise. Working with an industry group called the 
Software Publishers Association, the companies got an 
agreement for “expedited consideration” when they 
exported software programs sold in shrink-wrap to retail 
customers. The requirement was that the encryption in 
those products would be Ron Rivest’s ciphers RC-2 or RC-4, 
using keys of no more than 40 bits. This would allegedly be 
increased in subsequent years to keep pace with faster 
computers. In exchange, the NSA got some restrictions of 
its own. The regulation would not be formalized in an 
explicit standard. RSA and the companies using the cipher 
had to agree to keep the details of its design a secret. 


But no one particularly liked that deal. Companies had 
two choices. They could, like Lotus, offer American 
customers a version with strong (64-bit) encryption, anda 
weaker version for export. Then foreign customers would 
wonder why their software had second-class crypto—and 
sometimes, buy other products. Ray Ozzie claimed that it 
was already happening with Lotus. (He called the 40-bit 
limit espionage-enabled encryption.) Or, like Microsoft, they 
could avoid the hassle of manufacturing and shipping two 
versions and give everyone weak encryption. Meanwhile, 
hard-liners in the government felt that by green-lighting an 
export exemption, no matter what the key length, they were 
on a slippery slope toward strong crypto. Give the Lotuses 
and the Microsofts 40 bits now, and tomorrow they’re at 
your door demanding 48 bits, and more. 


But when Cantwell and Gejdenson went to the White 
House to urge movement toward export of stronger crypto, 
they hit a brick wall. The Clinton people held firm. 


In October 1993 Gejdenson and Cantwell held a 
subcommittee hearing to draw attention to the problem. 
“This hearing is about the well-intentioned attempts of the 
National Security Agency to control that which is 
uncontrollable,” said Gejdenson. He was talking about 
export regulations, but he might have been talking about 
something else—the support from Congress that Fort 
Meade once took for granted. While the majority of 
legislators accepted the NSA’s contentions at face value, a 
cognitive dissonance was emerging between its arguments 
and what appeared to be a more compelling view of reality. 
Cantwell put it clearly in her own opening statement: “We 
are here to discuss, really, competing visions of the future.” 
On one hand was a mind-set so locked into Cold War 
posturing that it ignored the inevitable. On the other were 
the techno-visionaries who powered our future, eager to 
fortify American ascendancy in a global marketplace. 


The hearing’s first witness was Ray Ozzie, who had come 
prepared with a software demo. He had a screen connected 
by phone line to his computer in Massachusetts, which he 
used to venture onto the Internet and download one of 
“hundreds of thousands” of copies of implementations of 
DES available overseas. He chose one in German, and 
downloaded it into his machine within seconds, as anyone in 
the world could do. But, he noted, if he were then to send 
the same software back to Germany, he would be guilty of 
the federal offense of exporting strong crypto. 


Next was Steve Walker, a former NSA official who now 
headed Trusted Information Systems, a consulting firm 
helping businesses implement crypto. He presented the 
results of a Software Publishers Association study that 
identified 264 cryptographic products produced overseas, 
123 of which employed DES. Foreign individuals and 
companies could buy any of these, but not similar products 


created by American firms because the NSA would not 
permit their export. “It cannot be clearer,” he said. “The 
existence of widespread and affordable cryptographic 
products overseas is an indisputable fact... the U.S. 
government is succeeding only in crippling a vital American 
industry’s exporting ability.” He then cited specific 
examples of business lost by American companies, like one 
firm that lost half of its European customers because it 
could not provide them strong cryptographic security. 


Phil Zimmermann gave testimony that trying to restrict 
cryptography is like attempting to “regulate the tides and 
the weather.” Don Harbert, an executive of Digital 
Equipment Corporation, insisted that “U.S. export controls 
on encryption must be brought into line with reality.” 


One of the committee members who had not been 
previously vocal in challenging the government, a 
conservative Californian named Dana Rohrbacher, noted for 
the record that if it were five years earlier, he would have 
chastised the witnesses for seeking profit at the potential 
loss of national security. But now, he said, “the Cold War is 
over. It is time for us to get on.” 


After the public session, security experts swept the room 
for bugs before the inevitable follow-up hearings involving 
the interests of the National Security Agency: The Briefing, 
“where the NSA answers all those questions in secret,” said 
Gejdenson. NSA briefings were notorious in Congress. They 
involved a dramatic presentation by the NSA on why our 
international eavesdropping abilities were so vital, typically 
including a litany of victories achieved by clandestine 
snooping (victories that would have been unthinkable 
without billions of dollars in funding), and perilous 
international situations that required continued vigilance 
and support. Perfected by Bobby Ray Inman in his days as 


NSA director, they initiated legislators into the society of 
Top Secret, implicitly shifting their alliance from the 
citizenry to the intelligence agencies. A newly cleared 
congressperson would get a presumably unvarnished and 
reportedly terrifying dose of global reality, after which he or 
she thereafter could be assumed to dutifully support any 
demands of the National Security Agency, lest the Huns 
gain a purchase on our liberty. Representatives and 
senators had been known to venture into the bug-swept 
room and emerge grim faced, stunning their go-go staffers 
by remarking, “Well, maybe we should reconsider.” 


Not Maria Cantwell. She was among a growing number of 
legislators who found The Briefing impressive but not 
persuasive. The issue for these skeptics wasn’t just how 
important crypto was, or what successes we’d had breaking 
codes, but whether maintaining export rules was actually 
productive. If the genie was out of the bottle, so what if 
American companies couldn’t export? Crooks would get 
crypto elsewhere! 


Cantwell began to prepare a legislative remedy. In 1994 
the Foreign Affairs Committee was already planning its 
periodic overhaul of the export regulations. She prepared 
H.R. 3627, “Legislation to Amend the Export Administration 
Act of 1979,” a bill adding a new subsection to the old rules, 
with specific implications for software exports, including 
encryption. It would move the decision-making process 
from the Department of Defense to Commerce, and would 
essentially make shrink-wrapped or public-domain software 
exempt from export regulations. It would put an end to the 
NSA’s game of controlling American crypto by use of the 
export laws. 


Naturally, the administration could not let that stand. 
When Cantwell was ready to introduce the bill, her staff 


notified her of an incoming phone call—from the vice 
president. The only previous time she had engaged Al Gore 
in a one-on-one had been during the budget battle, when 
Cantwell, despite severe reservations, had supported the 
administration (and would eventually wind up losing her 
reelection campaign in part because of it). What did he 
want this time? 


“T want you to stop this bill,” he said. He reiterated the 
stuff from the briefings about national security and all that. 


Cantwell held firm. “I’m sorry, Mr. Vice President,” she 
said. “I respect your opinion but I’m not changing my 
mind.” 


In a way, that was a turning point for Maria Cantwell. She 
got the bill through the subcommittee and kept pressing, 
even though fellow committee members were already 
trying to get her to drop the thing. Even before she left the 
hearing room after the vote—she hadn’t even gotten up 
from her chair—one representative came up to her and said 
outright, “If you don’t stop this it’s going to get very ugly.” 
And Maria Cantwell said to herself, “I’m not stopping.” 


On November 24, 1993, Cantwell introduced H.R. 3627 
on the House floor. Her comments were blunt. “The United 
States’ export control system is broken,” she said. “It was 
designed as a tool of the Cold War, to help fight against 
enemies that no longer exist. The myriad federal agencies 
responsible for controlling the flow of exports from our 
country must have a new charter, recognizing today’s 
realities.” 


The pressure continued, though most members were 
collegial in their attempts at persuasion. There was one 
instance in which a fellow Democrat came up to her on the 


floor and began berating her for ignoring national security 
issues. She felt intimidated but more than ever was 
convinced she should go on. With all the forces lined up to 
bolster these bizarre export laws and the silly Clipper Chip, 
it struck her as an exercise in unchecked power—against 
consumers. 


Still, she knew that on this issue she was out there. 
Though she was doing yeoman service for the techies she 
represented, most of her constituents in Washington State’s 
First Congressional District preferred her to be 
concentrating on issues such as health care, and here she 
was, locked in meetings with National Security Advisor Tony 
Lake. One day she heard that Bill Gates would be in town. 
So she asked the people at Microsoft who had been working 
with her—Nathan Myhrvold and company counsel Bill 
Neukom—if they could convince the world’s most famous 
techno-geek to lobby her colleagues on the matter. I’m out 
on a political limb here, she pleaded. Without publicity, she 
had Bill Gates address the intelligence committee. The 
National Security stooges started to explain to the 
billionaire how important the export laws were, but the icon 
of the New Economy had little patience for being lectured. 
Gates let them know that was a bullshit reason. The 
committee members didn’t get offended—it was kind ofa 
kick, getting snapped at by the world’s richest guy. You 
certainly had to take him seriously when he talked about 
what was good for business. 


Cantwell dug in her heels with the White House, too. She 
asked them not to fight her bill, but to let it take its course 
in Congress. The response was unexpected, and it came two 
days before the vote. It was a deal. If we change our 
position, the Gore people wanted to know, would you drop 
the bill? They suggested that instead of forcing the Clipper 
Chip on people, they would instead advocate a different 


voluntary key escrow scheme. And maybe it could be based 
on more flexible software implementations than that 
already antiquated chip. And maybe, instead of only 
government escrow facilities, some could be in the more- 
trusted private sector, like banks or security companies. 


A significant retreat, but it was still an escrow scheme, 
not at all the ultimate solution that Cantwell and her 
constituents wanted. On the other hand, the chances of her 
bill passing were equivalent to that of Microsoft’s shipping 
an operating system without bugs. (Even then it would face 
a near-certain veto.) Cantwell went back to the people who 
had been fighting the battle long before she switched 
Washingtons. Bruce Heiman of the industry group called 
the Business Software Alliance was encouraged that the 
administration was giving a framework for a compromise. 
Nathan Myhrvold straight out celebrated. “They blinked,” 
he later said. All of Cantwell’s advisors agreed, though, that 
before she stood down, she should get promises in writing. 


On July 20, 1994, the afternoon before the vote, the letter 
from Al Gore arrived. After the usual flatulence (“I write to 
express my sincere appreciation for your efforts to move 
the national debate forward .. .”) Gore got to the point. 


The administration understands the concerns 
that industry has regarding the Clipper Chip. 
We welcome the opportunity to work with 
industry to design a versatile, less expensive 
system. Such a key escrow system would be 
implementable in software, firmware, 
hardware, or any combination thereof, would 
not rely on a classified algorithm, would be 
voluntary, and would be exportable. ... We also 
recognize that a new key escrow encryption 


system must permit the use of private-sector 
key escrow agents as one option. 


Apparently, the White House figured that the exercise 
was simply a way to quiet a potential firestorm. (Later in 
the summer, a Defense Department official seeking 
clarification on the implications of the policy shift was told 
that the letter was intended “to placate Rep. Cantwell and 
avoid a national debate.”) But when the contents of Gore’s 
missive found their way to the front page of the Washington 
Post the next day (a slight embarrassment for Cantwell, 
who didn’t want to look like she was showboating), the Gore 
people rediscovered that the Bosnia of telecommunications 
was as thorny as ever. The White House had made its 
promises without clearing them with the NSA or the FBI. 
(The first Clint Brooks had heard about it was the day it ran 
in the Washington Post.) Cantwell got a call from a Gore 
person. Do you mind, he asked, if we, um, rescind the 
letter? 


“Do you know how silly you’d look?” she replied. It was, 
after all, Gore’s letter, Gore’s words. She promised that she 
wasn’t out to milk the incident with the press, but the news 
was out there, and she didn’t have the authority to let him 
rescind the agreement. So the deal stood. Cantwell 
dropped her bill, though in the next few years it would be 
only the first of a number of increasingly popular 
congressional initiatives to reform the export rules. 
Meanwhile, the Gore letter, whether intentional or not, was 
essentially a blueprint for the direction that the 
administration would take in tinkering with their ill-fated 
Clipper Chip. A step backward. A rejection. Another step 
backward. Stalling and confusion, while the great honest 
debate that Clint Brooks had envisioned about a national 
crypto policy never did come to the forefront. Meanwhile, 


the platform that Brooks considered absolutely essential—a 
full encryption solution to protect privacy, a policy that 
would generate a pervasive digital signature policy to 
empower electronic commerce and prevent electronic 
forgeries, and access for law enforcement—never did get 
straightened out. 


Clint Brooks himself wanted out of the struggle. After a 
couple of years of driving back and forth from Maryland to 
D.C., having the same arguments with the same people, he 
asked the new NSA director if he could work on something 
that utilized his talents more effectively. His request was 
granted. Nirvana was lost. 


Slouching toward crypto 


by 1995, it was clear that the field of cryptography—as 
well as its reach—had dramatically changed, despite the 
government’s best efforts. Crypto, propelled by computer 
power and new discoveries by the Whit Diffies of the world, 
was moving at a turbocharged pace, shifting from Pony 
Express to Internet time. But the basic principles remained. 
Despite the increasingly invoked specter of crypto anarchy 
—where codes would proliferate unchecked, to the point 
where no government or institution could even hope to get 
a handle on digital commerce or law—the ancient clash of 
measure and countermeasure persisted. Only now the 
outsiders had a hand in the game. 


Over a century before, Edgar Allan Poe, who had been 
nearly obsessive on the subject of cryptology, wrote, “It may 
roundly be asserted ... that human ingenuity cannot 


concoct a cipher which human ingenuity cannot resolve.” 
Mathematically, of course, Poe was wrong; the verifiably 
impenetrable one-time pad was a firm “nevermore” to his 
claim. But implementing a one-time pad was demanding; 
certainly it was inappropriate in large-scale settings. So on 
a practical basis, was the poet’s claim correct? When 
Martin Gardner had cited Poe’s quote in his famous 
Scientific American article about RSA, he had thought not. 


The question certainly bugged Phil Zimmermann. In his 
heart, he felt that the encryption algorithm at the center of 
his PGP software was sound. In naming his program, he felt 
that “pretty good” was an understatement: users should be 
able to count on its imperviousness to codebreakers. The 
government, at least publicly, hinted that PGP was strong, 
too. In the spring of 1995, Louis Freeh of the FBI and 
William Crowell of the National Security Agency had 
testified in a classified congressional briefing about the 
difficulty of breaking crypto with long key sizes. Freeh 
complained, “We don’t have the technology or the brute- 
force capability to get to this information.” Crowell went 
even further. Citing current personal computer technology, 
he said that to crack “128-bit cryptography, which is what 
PGP is... would [take] 8.6 trillion times the age of the 
universe.” 


But Zimmermann knew that a brute-force attack on IDEA 
(International Data Encryption Algorithm) was not the only 
way to gut his cipher into something that could be called 
“Pretty Good Try at Privacy.” There were countless ways to 
crack a code. Maybe through stronger factoring algorithms 
and dedicated hardware a supercomputer could make 
much faster work of the public key part of the program. Or, 
even more likely, there could be quirks in the details of 
PGP’s implementation that would provide a cryptanalyst 
with a precious shortcut to plaintext. 


As it happened, one evening at the 1995 crypto 
conference at Santa Barbara, there was a cocktail party 
alfresco, and late in the evening a few cryptographers, 
decked in traditional garb of T-shirts and sandals, gathered 
around one of the event’s keynote speakers. He was Robert 
Morris, Sr., and until recently the only crowds he’d 
addressed were those authorized to receive U.S. 
government secrets. He had just retired as a top scientist at 
Fort George Meade. Morris’s reputation—enhanced by the 
unknowable feats he may have accomplished in the service 
of spookdom—drew a small crowd to his table. And when 
Morris mentioned that he wouldn’t mind meeting Phil 
Zimmermann, the neatly bearded forty-one-year-old was 
quickly called over. 


“Phil, let me ask you a question,” said the former 
intelligence man, puffing aggressively on a cigarette. “Say 
that someone used PGP for very bad stuff. How much would 
it cost us to break it?” 


Zimmermann seemed flustered. “Well, I’ve been asked 
that before,” he said. “It could be done.” 


“But how much would it cost us?” 


It was far from Zimmermann’s favorite subject, but he 
played along. He conjectured that the best attacks on PGP 
would not be on its key size but on other weaknesses. Its 
data structure could be troublesome, he admitted, its error 
correction poor. 


Morris nodded and said nothing. He’d been playing with 
Zimmermann. Who the hell knew if the NSA had already 
unearthed some elementary flaw that enabled the acres of 
silicon in its vaunted basement instantly to cough up the 
plaintext of the freedom fighters who allegedly used 


Zimmermann’s program? But the next day in his talk, 
Morris implicitly provided a commentary on the new 
cryptographers and their crypto-anarchist visions. He 
revealed no trade secrets. But somewhat in the spirit of the 
Eastern masters, Morris did present a pair of truisms— 
koans of the crypto faith—that pointed toward an eventual 
rapprochement between the Equities, one beyond the 
current political struggles. A glimpse of a post-Clipper 
society in the century to come. 


Koan One (for codemakers): never underestimate the 
time and expense your opponent will take to break your 
code. The inner text of the Morris speech was that 
cryptography is best left to those of a paranoid mind-set, 
those who believe beyond question that their opponents 
just may be very rich, very clever, and very dedicated— 
hellhounds on the trail. They will launch powerful frontal 
assaults on your codes. And, often, they will win. 


Koan Two (for codebreakers): look for plaintext. This was 
reassurance to the crowd that no matter how baffling the 
task of codebreaking might seem, the fact is that very 
fallible human beings are the ones who must employ these 
sophisticated systems. So sometimes, when one least 
expects it, a seemingly impenetrable code—the jumble of 
ASCII confetti one must hammer into human language— 
might have a passage, or an entire message, somehow 
unencoded. In that case, you could read it as easily asa 
fortune cookie. 


To the crypto anarchists, Morris was saying, “Hey, it’s not 
that easy to create a cipher utopia.” The ancient game 
would go on. But by imparting the lesson to outsiders he 
was also tacitly acknowledging that the future belonged not 
just to the NSA illuminati, but to these T-shirted longhairs at 
Santa Barbara as well. 


Morris’s statements came at a time when the tension 
between public and government crypto was at its height. 
Further, a novel twist had recently been introduced. Some 
of the emerging crypto forces were now well beyond code 
making and deeply into cryptanalysis. While this had been 
undertaken by the crypto crowd before—most famously in 
the attacks on Merkle’s knapsack scheme—there was now a 
new sort of effort. It did not conform to the traditional rules 
forged in the world of William Friedman or Alan Turing... . 
It was an aggregate code breaking, a mass effort powered 
by the amplifying abilities of the Net. Its practitioners were, 
of course, cypherpunks. This breed of codebreaker was not 
interested in crime and espionage, but in making a political 
point and reaping big fun in the process. 


One of the first efforts began with Phil Zimmermann’s 
PGP software. Long before Morris brought up the question 
of PGP’s strength at Crypto ’95, its users had been plagued 
by nagging questions of its resilience. Their angst reflected 
the key dilemma of guerrilla cryptography: could you trust 
software developed without the imprimatur of an 
organization known for secure codes? This was the question 
that Derek Atkins, then a twenty-year-old electrical 
engineering student at MIT, was asking himself in 1992. His 
initial reaction to Zimmermann’s program was to join the 
crusade, and he became part of the impromptu 
development team creating new versions of the software. 
But then Atkins came to wonder what attacks might work 
against it. 


As Bob Morris indicated in his talk, there are two general 
ways to crack a cryptosystem. The first way is brute force— 
to try all possible solutions until you hit on the right one. 
The second method involves seeking a shortcut, an 
unintended weakness, which may enable you to break the 
codes. As Atkins spoke to his friends—including Michael 


Graff at lowa State University and Paul Leyland of Oxford 
University—he decided on the former style of attack. Trying 
to find a subtle flaw was a task beyond his abilities and 
experience. (Though, as Morris implied, it was a route that 
the NSA had probably attempted.) On the other hand, 
everybody seemed to agree that a direct, and perhaps 
feasible, route to cracking PGP would be one that worked 
against any RSA-based program: factoring. 


Rivest, Shamir, and Adleman had understood, of course, 
that if someone figured out a quick way to factor—to 
determine two original primes from the key based on the 
product of those numbers—their system was dead meat. 
But even though they had expected somewhat better 
factoring algorithms to come, they figured that nothing on 
the horizon would make it feasible to break RSA. Atkins and 
his friends, however, wanted to test that proposition. They 
suspected that by relying on a previously unavailable 
resource—the thousands of computers accessible to people 
on the Internet—they might be able to make factoring 
history. This was a fascinating premise, regarding the 
aggregate computing power of Internet users as sort ofa 
giant supercomputer, perhaps a kludged cousin to the ones 
that supposedly existed in the basement of Fort Meade. 
They ran the idea past Arjen Lenstra, the renowned 
mathematical expert at Bellcore in New Jersey. He told 
them that the large prime numbers commonly used in PGP 
(as well as the commercial versions of RSA) would be too 
formidable to attack. Then he suggested another challenge: 
RSA 129. 


Lenstra’s idea cut to the heart of the issue of whether or 
not cryptography could ever assure perfect security. The 
RSA 129 challenge was the one offered in Martin Gardner’s 
Scientific American column in 1977—the column that began 
by declaring moot Poe’s dictum that no code was 


impervious to cracking. The challenge still had not been 
met in all these years. The estimate of time it would take a 
dedicated supercomputer to factor a number that size was 
forty quadrillion years. But even if you did not accept that 
number (Rivest now says it was a miscalculation) even a 
much, much smaller number—a billion years, say, or a 
measly few million—would indicate that anyone breathing 
today’s air would have been long rendered into a dust ball 
before the secret of the RSA message encoded with a 129- 
digit key would be revealed. 


Yet fifteen years later, Atkins, Graff, Leyland, and Lenstra 
joined forces with the Internet to attempt to collect that 
hundred dollars—in a matter of months. 


The first, and probably most important, thing they needed 
was a good factoring algorithm. There had been some 
conceptual advances in this area since Gardner’s column 
had been published. Specifically, someone had devised the 
“double large prime multiple polynomial variation of the 
quadratic sieve.” This involves searching in a numbers 
realm called vector space for numbers known as univectors. 
These can be combined to chart mathematical relations in a 
way that yields the two original primes. “You don’t have to 
search the full space of possibilities, but only a small finite 
portion of the space,” says Atkins. “One way of looking at it 
is that we were looking for eight million needles in a 
haystack full of countless needles. You’re not looking for any 
particular needle—you just find enough of them and 
combine them in a special mathematical means to actually 
factor the number.” That technique was perfect for a 
distributed Internet attack, where literally hundreds of 
people would join forces to solve the problem. 


During the summer of 1993, the software was ready— 
Atkins had been running some of it on the MIT Media Lab 


computers—and they could now recruit volunteers with 
computers. The response was terrific: over 1600 machines 
worked on the problem, all over the world, every continent 
except Antarctica. The computers ranged from garden 
variety PCs to the 16,000-processor Maspar supercomputer 
at Bell Labs. 


A standard measurement of computer power is a MIPS 
year—one year of constant use of a Million Instructions per 
Second machine. From September 1993 to April 1994, the 
RSA 129 experiment used about five thousand of those 
MIPS years. It was then that Atkins and the others guessed 
that they finally had enough univectors to do the final 
calculations. As planned, they sent it to Lenstra at Bell Labs, 
who would then do the final “matrix reduction.” Atkins sent 
Lenstra a tape with 400 megabytes worth of univectors, via 
U.S. mail. He also sent a backup by FedEx. Lenstra fed it to 
his machines, and for two days they matrix-reduced. On 
April 24, 1994, Atkins posted the following message on the 
Net: 


We are happy to announce that 


RSA-129 = 
1143816257578888676692357799761466120102182967212423625625618429 \3 
5706935245733897830597 123563958705058989075147599290026879543541 = 
34905295 10847650949147849619903898133417764638493387843990820577*3 
2769132993266709549961988190834461413177642967992942539798288533 


Applying that key to the number that represented the 
enciphered message text, they were able to transform it 
into a similarly long number. This was easily converted to 
English by one of the oldest decoding schemes in history: 
01 = A, 02 = B, and so on. That yielded the secret that 
supposedly would last for a quadrillion years: 


THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE 


Did this discovery rock Ron Rivest’s world? Not really. In 
the years since Gardner’s article, he had kept track of 
developments in factoring, and had concluded it wasn’t 
impossible that one day he might have to write out a check 
for $100 to someone. (Amazingly, he had forgotten the 
actual message.) He even defends Gardner’s prediction that 
a break in our lifetime was extremely remote. “It was 
probably accurate for the analysis of the fastest algorithm 
we knew about at the time, but technology was moving fast 
on the factoring frontier.” 


But the very idea of a “factoring frontier” was enough to 
throw some doubt into the security of the most popular 
public key cryptosystem. After all, if factoring was easy, RSA 
was, well, worthless. Of course, breaking RSA 129 was 
nowhere near as Challenging as cracking RSA codes set at 
commercial strength. When the RSA system uses 129 digits, 
the key turns out to be 425 bits long. But the standard RSA 
key—the one used by the company’s actual software—was 
1024 bits long. Had the Atkins team attempted the same 
task with that key length, their computers would still be 
working on the problem—for a few million more years. 


Yet that degree of futility had once been predicted for 
RSA 129. Might new techniques to factor numbers melt 
down even the fattest RSA keys? There may well be 
mathematical breakthroughs to speed up factoring, but an 
even greater threat to the strength of the cryptosystems 
was the development of what are called quantum 
computers, machines that take advantage of subatomic 


physics to run much faster than our current models. (Think 
of the speed differential between turtles and laser beams.) 
While these machines still existed only in theory, scientists 
had been taking the first difficult steps toward 
implementation. Once the journey toward quantum 
computers was completed, you could stick a fork into the 
RSA cryptosystem. “I think that I shall see a special-purpose 
quantum factorization device in my lifetime,” cryptographer 
Giles Brassard wrote in 1996. “If this happens, RSA will 
have to be abandoned.” This was published, of all places, in 
CryptoBytes, the technical newsletter of RSA Data Security. 


But that remained speculation. The reality is that Derek 
Atkins and his colleagues took what seemed to be an 
invincible problem and, working informally, with an ad hoc 
collection of computers, managed to crack it. “What we 
learned is that a bunch of amateurs can get together and 
do this,” he says. And that all claims of invincibility should 
be regarded with skepticism. 


The next target was an irresistible one: the 40-bit crypto 
allowed by the government for export. The point this time 
would be purely political. If the barn-raising style of 
cryptanalysis used in the RSA crack was directed against 
the puny key lengths negotiated by the Software Publishers 
Association in 1992 (and, despite government promises, not 
adjusted in subsequent years), those keys would surely fall, 
and the need for stronger crypto would be obvious. 


After one cypherpunk suggested a “Key Cracking Ring,” 
Tim May urged action, guessing that the “CPU horsepower 
of this list could be quite impressively applied” to crack the 
key in six months, making a strong statement against U.S. 
export standards. (Six months was a guess. But comparing 
the computation effort to the RSA’s crack was somewhat 


like apples and oranges—keyspace search versus 
factoring.) 


“Heh, I was already working on it... ,” wrote Adam Back, 
a twenty-five-year-old computer science student at Exeter 
College in England. Immediately after seeing the first 
posting, he’d begun writing scripts to allow people to 
participate in a group crack. He knew what he was doing, 
since he had been recently playing around with Rivest’s RC- 
4 algorithm—the actual cipher that performed the 40-bit 
encryption permitted for export by the government in 
programs by Microsoft and Lotus. 


A brute-force attack on a bulk encryption cipher like RC-4 
or DES requires the codebreaker to try out every possible 
key combination. Finding a key requires searching through 
the entire space of possibilities; in the case of a 40-bit key 
there are about a trillion actual possibilities, enough to 
keep a pack of computers busy for days. That’s what Adam 
Back had in mind: a mass effort with each attacker claiming 
some portion of keyspace, testing it, and then requesting 
another. The process would continue until someone found 
the key. Back posted his scripts to his Web page, and a 
group of conspirators from various corners of the world 
quickly gathered. Eventually, eighty-nine cypherpunks 
participated in trying to find a 40-bit key in Microsoft’s 
database program Access. 


But the Microsoft Access crack was doomed. After the 
entire keyspace was “swept,” none of the millions of 
potential keys unlocked the message. It turned out that the 
would-be crackers were stuck on a technical point that kept 
them from actually getting the plaintext. (“The problem was 
a lack of specifications,” says Back. “We didn’t know what 
format the file was in.”) 


Still, the cypherpunks emerged from the failed Microsoft 
attack with some group-cracking software, a loose yet 
dedicated organization, and a continuing desire to expose 
what they believed was the pitiful sham of export-level 
crypto. And then the cypherpunks hit upon an even better 
target for a brute-force attack: Netscape. 


In 1993, two students at the University of Illinois had 
engaged in a coffeehouse conversation that would not only 
change the course of the twenty-two-year-old international 
network called the Internet but would profoundly affect the 
adoption of crypto. One of them, a chunky undergrad 
named Marc Andreessen, had recently been learning about 
a new system on the Internet brashly named the World 
Wide Web by its inventor, Tim Berners-Lee, a British 
computer scientist working in Switzerland. The Web was an 
ingenious way to publish and get access to information on 
the Net, but only a few in the technical community had 
adopted the system. Andreessen saw a wider potential. If 
someone created a slick “browser” to surf through the 
information space created by a multitude of people who 
shared text, pictures, and sounds on the Web, he said to his 
colleague Eric Bina, the Internet itself would be easier to 
use and a better way to get information. The pair, both of 
whom worked at the Supercomputing Center at the 
university, created Mosaic, the first great Web browser. 
Instead of being forced to use arcane commands and tackle 
a baffling alphabet soup of acronyms, people could now get 
all sorts of wonderful stuff from handmade Web “pages”—at 
the click of a mouse! It was an instant phenomenon; to use 
Mosaic was to swoon with the excitement of participating in 
a vast experiment with the future of information sharing. 
Soon a team at Illinois had churned out versions of the 
program for virtually every computing platform. Millions of 


people downloaded them, and thousands of Web sites 
sprang up to take advantage of the audience. 


In 1994, Andreessen had another famous cup of coffee, 
this time with Silicon Valley entrepreneur Jim Clark. The 
just-departed CEO of Silicon Graphics was casting about for 
a big new idea for a start-up company, and with this college 
kid he hit one of the richest pay dirts in history. Clark, 
who’d been unaware of the Web boom up till then, quickly 
realized that there were untapped commercial possibilities 
for the Web, and grabbed not only Andreessen but most of 
the Illinois team to start Mosaic Communications. (When 
the university objected to the name, Clark changed it to 
Netscape.) The idea was to develop an improved browser 
called the Navigator, along with software for “servers” that 
would allow businesses to go on-line. The one missing 
component was security. If companies were going to sell 
products and make transactions over the Internet, surely 
customers would demand protection. It was the perfect job 
for encryption technology. 


Fortunately Clark knew someone in the field—Jim Bidzos. 
By the time negotiations were completed, Netscape had a 
license for RSA and the company’s help in developing a 
security standard for the Web: a public key-based protocol 
known as Secure Sockets Layer. Netscape would build this 
into its software, ensuring that its estimated millions of 
users would automatically get the benefits of crypto as 
envisioned by Merkle, Diffie, and Hellman, and 
implemented by Rivest, Shamir, and Adleman. A click of a 
mouse would send Netscape users into crypto mode: a 
message would appear informing them that all information 
entered from that point was secure. Meanwhile, RSA’s 
encryption and authentication would be running behind the 
scenes. 


Jim Bidzos drove his usual hard bargain with Netscape: in 
exchange for its algorithms, RSA was given 1 percent of the 
new company. In mid-1995, Netscape ran the most 
successful public offering in Wall Street’s history to date, 
making RSA’s share of the company worth over $20 million. 
(Not bad, Bidzos realized, for a company that was just 
about flatlining until Lotus’s $100,000 advance for the 
Notes license.) 


It was just after that eye-opening IPO that a cypherpunk 
named Hal Finney began looking at Netscape’s security. 
Finney, a Santa Barbara-based programmer who had 
participated in PGP development, was particularly 
interested in how cryptography would be used with 
electronic commerce, and had become familiar with 
Netscape’s Secure Sockets Layer. In adhering to the export 
regulations, Netscape had released two versions of the 
browser: a domestic version with a 128-bit key for its RC-4 
encryption function, and a 40-bit version for export. 


Finney set up a challenge to break a message encrypted 
with that weaker key. He would make a dummy Netscape 
transaction—just as if he were a customer—then use the 
encryption in the export version. “I basically connected to 
Netscape in one of their secure pages and typed in some 
random data where I was supposed to be ordering a T-shirt 
or something,” he says. Then he captured the encrypted 
data and included it in his challenge: 


Date: Mon, 10 Jul 1995 16:13:52-0700 
From: Hal <hfinney@shell.portal.com> 


To: cypherpunks@toad.com 


Subject: Let’s try breaking an SSL RC4 key 


Since this whole Microsoft Access thing turned 
out to be a dud, maybe an alternative would be 
to try breaking the 40-bit RC4 used in 
Netscape’s SSL (Secure Sockets Layer) 
exportable encryption ... 


From England, Adam Back’s group accepted the 
challenge. Though Back’s original intent seems to have 
been to apportion the keyspace among many people, he 
wound up accepting the offer of an Australian programmer 
to organize half the search. The rest of the keyspace was to 
be swept by volunteers who were assigned slices. But there 
was some confusion between the two groups that slowed 
down the effort for some days. 


It was during this lull in the action that Damien Doligez 
began to wonder what was taking so long. Doligez was a 
twenty-seven-year-old computer scientist who had just 
gotten his Ph.D. a few months before and was working as a 
researcher at INRIA, the French government computer lab. 
His office was in one of a cluster of shacks in what was once 
a NATO base a few miles outside of Versailles. Doligez had a 
personal interest in crypto. He shared the sense of disgust 
at the way governments attempt to suppress their citizens’ 
ability to communicate privately with each other, and he 
believed that if someone cracked one of those artificially 
lame 40-bit cryptosystems, it would be a blow against the 
powers that be. He also guessed that after the successful 
RSA 129 crack, a two- or three-week effort should do the 
job. So as time passed between Finney’s challenge and its 
solution, he wondered what the hell had happened. 


As a researcher at INRIA Doligez had access not only to 
the workstation in his small office, but also to an entire 
network of computers, including a Maspar supercomputer. 
Doligez studied the SSL specifications and concocted a 
small program to allow a computer quickly to test out a 
potential key, then adapted the program so it would work 
on the various machines on the INRIA network, as well as 
on some machines at the nearby universities, LEcole 
Polytechnique and ĽÉcole Normale Supérieure. 


Then he began his own multiple-computer attack. 
Whenever an INRIA worker would stray from his or her 
computer, within five minutes, Doligez’s program would 
take over the machine, crunching perhaps 10,000 keys a 
second. Simply by touching the keyboard, a user could 
regain control over the machine. No one complained. 


Doligez figured that his odds of finding the key would be 
better if he started from the end of the keyspace and 
worked backward. “I figured the cypherpunks would start 
from the start, so I started from the end.” He set his 
network into action on Friday, August 4, and left for the 
weekend. On Monday, he returned and discovered a bug in 
his program. He restarted the process. From that point, the 
number crunching ran perfectly, but he wound up writing 
ten new versions of the software over the next few days to 
address glitches in the communications between machines. 
The program was working fine when Doligez left work on 
Friday, August 11. Due to a national midsummer holiday 
that next Tuesday, on August 15, it would be a four-day 
weekend, but checking on his home computer before the 
holiday ended, his software gave him the message he was 
waiting for. 


“T saw it found the key,” he says. SSL had been cracked! 


The following day, Damien Doligez drove to work from his 
home outside Paris and recovered the key from his 
workstation, then successfully decrypted the message. He 
posted a message to cypherpunks with the heading “SSL 
challenge—broken!” As proof, he displayed the plaintext. 
Those familiar with the RSA 129 crack appreciated the 
significance of the address of the fictional character that 
Hal Finney had created in his coded message. Mr. Cosmic 
Kumquat, of SSL Trusters, Inc., lived at 1234 Squeamish 
Ossifrage Road. 


Though technically it was anything but shocking—the 
mathematics of cryptography dictated that a weak key 
should fall to a concentrated effort—the very idea of 
cracking Netscape’s crypto captured the imagination of the 
popular press. The media descended on Damien Doligez. 
Because the break occurred only a week after Netscape 
enjoyed perhaps the most successful IPO in history, some 
journalists played the crack as if it spoke to the nature of 
the browser’s overall security, and not as an example of the 
way the government export rules weaken software in 
general. In a message that Netscape posted on its site later 
that week, the company noted that Doligez had simply 
broken one message—and that it took about 64 MIPS years 
to do so. Netscape also estimated that the cost of breaking 
the message had been $10,000. But as Doligez pointed out 
in his own response, he had used idle computer time, and 
paid nothing to do so. Netscape was on firmer ground when 
it noted that the domestic version of Navigator used a much 
sounder 128-bit key. “The computer power required to 
decrypt such a message would be more than a thousand 
trillion trillion times greater than that which was used to 
decrypt the RC-4-40 message,” wrote Netscape. 


Which as far as the cypherpunks were concerned was 
exactly the point: export-level crypto was needlessly weak. 


But the cypherpunks were not through with Netscape. At 
Berkeley, two first-year graduate students were inspired by 
group cryptanalysis. They were twenty-two-year-old Ian 
Goldberg and twenty-two-year-old Dave Wagner. They, too, 
thought it would be a good idea to hack Netscape, the new 
flagship for Internet security. But they had missed out on 
the obvious brute-force attacks—Goldberg had been 
moving to California from his native Canada and Wagner 
had just arrived after getting his undergraduate degree at 
Princeton. So they began to explore a different mode of 
attack, more akin to the second of Robert Morris’s 
recommendations: look for plaintext. Could it be possible 
that the Netscape security team made some simple yet 
egregious error in implementing their software, thus 
exposing what might be millions of electronic commerce 
transactions to eavesdroppers? Not likely. But, as Morris 
had suggested, you never know unless you look. 


And that’s when Wagner saw it. Buried in the code were 
the instructions for Netscape’s Random Number Generator 
(RNG). This is an important part of any sophisticated 
cryptosystem—the piece of code crucial to scrambling the 
letters so that the encoded text offers no tell-tale patterns 
that would help a cryptanalyst. It is well known that a lack 
of true randomness is a weakness smart codebreakers can 
eventually exploit. So it is important to have a solid RNG— 
something that spins the alphabetic roulette wheel 
thoroughly. 


An important part of a good RNG is the use of an 
unpredictable “seed”—a number that begins the 
randomization process. Since, unlike dice, computers do 
the same thing each time they run, it is essential to begin 
the process with a seed that a potential opponent cannot 
possibly guess. Methods of doing this often include using 
some off-the-wall statistics from the real world—the position 


of the mouse, for instance. Anything that an enemy could 
not possibly know. 


Netscape, as it turns out, had ignored this wisdom. When 
Dave Wagner looked closely at the code, the error jumped 
out at him. Netscape derived the seed of its RNG from 
three elements: the time of day and two forms of user 
identification called the Process ID and the Parent ID. A 
disaster. A foe would burn few computer cycles and even 
fewer brain cells finding the first part of the seed: it is easy 
to run through the limited number of times of day. And in 
many cases, both kinds of identification numbers were also 
easy to find, particularly if someone is sharing a server with 
a number of people—as often happens in an Internet 
environment. “If an attacker has an account on your 
machine, it’s trivial,” says Goldberg. “Here at Berkeley, 
there are thousands of users. If anyone uses Netscape, you 
can discover the IDs.” But even without that advantage, it 
would be fairly trivial for attackers to calculate out those 
IDs. The identification numbers in question were only 
fifteen bits long, easily susceptible to brute-force attacks. 


Over the course of a weekend, Wagner and Goldberg 
wrote a program to exploit the weakness. On Sunday night, 
they tested it. By zeroing in on the huge flaw in Netscape’s 
implementation, they were able to find a secret key in less 
than a minute. Hasta la vista, Netscape security. Goldberg 
posted the result on the cypherpunks’ mailing list that 
night. “We didn’t expect lots of press,” he said. Silly boy. 
Among the readers was a New York Times reporter. When 
the story ran in the Paper of Record, the two grad students 
were deluged with curiosity seekers and journalists. Of the 
things that the two grad students had to say, perhaps the 
most sobering was Goldberg’s observation, “We’re good 
guys—but we don’t know if this flaw has been discovered by 
bad guys.” 


Unlike the first Netscape crack, where the company could 
quite rightfully claim that their otherwise strong crypto was 
crippled by government restrictions, this was a total flub. 
You didn’t need to tap a multi-workstation network, or get 
access to a supercomputer. In certain circumstances all you 
needed was a minute’s worth of crunching on a vanilla 
Pentium machine. “Our engineers made an implementation 
mistake,” admitted Mike Homer, Netscape’s vice president 
of marketing. 


The error cast a shadow on the security of the leading 
Internet software company. “If Netscape did this wrong, 
what else did they do wrong?” asked cryptographer Bruce 
Schneier. But the more pressing question was, if Netscape 
was unsafe, what was safe? Netscape, after all, was making 
a concerted effort to protect its users. If the Navigator 
could be cracked so easily, what hope was there for the 
others? 


There was a bright side to the event: you could argue that 
things worked properly because the cypherpunks publicly 
exposed a weakness, which Netscape immediately moved to 
fix. But the lasting lesson was somewhat darker. As the 
Internet proliferated, the public was beginning to become 
truly dependent on networked computers for financial 
transactions and storing private information—everything 
from buying books to making stock trades to paying bills. 
New businesses were planning to put medical records on- 
line. But security was still haphazard at best. And more and 
more, it was becoming clear that one big reason for this 
failing was the United States government’s long-term 
stalling action. While it tried to push Clipper and key 
escrow as its pet solution to the problem, the Internet kept 
going—without an organized effort to provide the 
protections it needed. 


During the mid-1990s, though, those trying hardest to 
bring to fruition a new era of cipher protection—one that 
would finally secure the Internet and other electronic 
means of communication—found themselves under 
increasing fire. It seemed that those in charge of the laws 
and institutions of society, while not able to shut down 
mathematical and engineering progress, could do plenty to 
make crypto innovators know that their actions had 
consequences. The question became how far was the 
government willing to go to invoke those consequences. 


For Ray Ozzie of Lotus such a lesson in power would have 
seemed unnecessary: he was committed to working within 
the system. (Besides, in 1993, Lotus had officially joined the 
Establishment when it was bought by IBM for $3 billion.) In 
the years since his early adoption of RSA, Ozzie had become 
a vocal figure in the crypto battles, testifying in Congress 
and visiting key administration figures. Though his 
procrypto bias was plain, Ozzie’s easy manner and 
willingness to consider the opposing view earned him the 
respect of even export hard-liners. He was a realist. Unable 
to wait for the government to liberalize its rules, he was 
constantly brainstorming for innovative ways around the 
export impasse. 


After the Netscape crack, overseas buyers of Lotus Notes 
became increasingly uneasy using the 40-bit encryption 
IBM was permitted to ship overseas. They wanted to know 
why it was that American customers were sold a version 
with 64-bit keys, millions of times more difficult to break— 
while their version could be cracked by some random 
postdoc outside Paris. (Meanwhile, companies like 
Microsoft, which didn’t want the hassles of making two 
flavors of the same product, gave all their customers 


weaker crypto. This made the whole product line less 
valuable to those who wanted encryption, and some of 
those customers began buying from foreign companies that 
could legally sell them strong crypto.) 


In 1995, Ozzie came up with what seemed a preferable 
compromise, at least in the short term: a mathematical fix 
devised to satisfy the NSA’s requirements. Though Ozzie 
hated Clipper, his scheme was sort of a less onerous version 
of it. Lotus would still sell two versions of Notes, but unlike 
prior versions, both would have 64-bit encryption. But the 
international version would have a little gift for the NSA: 
something called the National Security Access Field 
(NSAF). This consisted of 24 bits of the encrypted data that 
the NSA, and only the NSA, could decode. It was to be 
encrypted by the NSA’s public key, so only the folks at The 
Fort could exclusively decrypt that field. After the NSA used 
its private key to unscramble the 24-bit NSAF, the Notes- 
encrypted messages would have shrunk from 64-bit 
ciphertext to 40-bit ciphertext. Cracking the remaining 
code would require precisely the same work factor as 
messages encrypted with 40-bit keys shipped under the old 
system. But since the overall encryption was stronger 
against all attackers other than the NSA—and it was those 
other attackers most users were worried about, like vandals 
or industrial spies—Ozzie figured that this solution might 
help in the short run. 


Lotus filed two patents for its innovation, called 
“Differential Work-factor Cryptography Method and 
System,” in December 1995, and included the innovation in 
the new version of its software, Notes Release 4. He first 
spoke about it publicly in January 1996, at the RSA Data 
Security Conference in San Francisco. The conference was 
another of Jim Bidzos’s marketing brainstorms. Since 1990, 
the RSA Data Security honcho had been gathering 


commercial crypto customers in the Bay Area, sponsoring a 
few days of seminars and a small trade show where vendors 
could show their wares. From a gathering of a few dozen 
geeks at the Sofitel Hotel near RSA’s Redwood City offices, 
the conclave had grown to thousands and was now held ata 
large hotel near Union Square. Ozzie’s speech drew a lot of 
attention, and not a little hand-wringing: some wondered 
whether the dynamic designer behind Notes had given up 
the fight. 


No, he hadn’t. Ozzie was just pursuing a more subtle 
agenda. “I wanted to stir things up,” he said. The idea was 
to knock a wedge between the administration and the NSA. 
Once Al Gore had backed down from the idea of 
government-controlled escrow facilities, the NSA found 
little to like in those post-Clipper ideas. If people stored 
keys in private facilities, authorities would need a warrant 
to get hold of them. But the NSA operated in secret and 
was banned from domestic surveillance. So the agency 
might prefer Ozzie’s scheme—which gave it a head start in 
cryptanalysis. (It wouldn’t need a warrant to get those 24- 
bits’ worth of decryption.) Thus, Ozzie’s scheme was far 
from a sellout—it was a subversive strategy to get the NSA 
and the administration arguing for different approaches. In 
the confusion, he hoped that his industry could sneak 
through its own solution. 


Before Ozzie could congratulate himself on his 
cleverness, he discovered that the government was not 
without its own means for dealing with such strategies. On 
December 30, 1996, both Ozzie and his coinventor Charles 
Kaufman were sent letters labeled in boldface: secrecy orr. 
Their patent application, read the letters, “contains subject 
matter the unauthorized disclosure of which would, in the 
opinion of the sponsoring defense agency, be detrimental to 
the national security.” (In the space where the government 


patent officer could check off which agency that was, there 
was an X next to “ARMY.”) Disclosing the subject matter to 
anyone without authorization, they were warned, would 
subject the inventors and IBM to a penalty, including a jail 
term. Finally, they were instructed, any copies of the subject 
matter “should be destroyed by a method that will prevent 
disclosure of the contents or reconstruction of the 
document.” 


Ozzie, who received the order on January 7, 1997, 
immediately understood that complying with that order 
presented something of a problem. Not only had he spoken 
in detail about the scheme numerous times, but the 
“subject matter” had also already been distributed to 
almost six million Lotus Notes users, about half of whom 
were outside the United States. He quickly informed his 
bosses at Lotus, who immediately began pondering the 
consequences of having one of the most popular software 
programs in the world deemed a government secret. 


Perhaps the best thing Ozzie did was to have a friend call 
the deputy director of the NSA, Bill Crowell, who reportedly 
laughed when he heard of the news, and told the friend 
he’d look into it. On January 9, Crowell called Ozzie. It was 
all a mistake, he said. Everything would be fixed. Indeed, 
the next day, when IBM attorneys got in touch with the 
Patent Office, they got a verbal confirmation that the order 
had been rescinded, and later got a fax to that effect. No 
longer were Ray Ozzie, his coinventor, and IBM liable for 
about six million violations of the patent secrecy act. But 
after everyone had some time to breathe, questions 
remained. If this was the fate that welcomed someone 
trying to serve his customers in the spirit of key escrow, 
what would happen to those who outright challenged the 
government? 


Jim Bidzos could answer that question. As he took the 
most public stance possible in opposition to the government 
—he even distributed posters urging people to “Sink 
Clipper”—the relationship between his company and the 
NSA had gotten more contentious. Though Bidzos had no 
hard evidence of having been wiretapped, he assumed that 
he was under surveillance. Perhaps the most egregious 
confrontation came in April 1994, during a meeting with 
three NSA export officers, all of whom Bidzos had been 
grappling with for years. Two were women he’d come to 
trust to some degree, but the third was a man who clearly 
despised Bidzos and his company. 


Since the NSA reps didn’t open the meeting with any 
specific issues, Bidzos used the opportunity to lecture them 
about Clipper: no one would use it, it was a flawed system, 
yadda yadda. Bidzos noticed the man from the NSA getting 
more and more agitated. Finally the official spoke. If I see 
you in the parking lot, he said, IlI run your ass over. 


Bidzos recalls being stunned but finally he replied. “PH 
give you an opportunity to retract that or apologize,” he 
said. But the man kept pressing. I’m serious, he raged. You 
don’t understand me, do you? 


Was Bidzos getting an official warning, sort of a Triple 
Fence equivalent of a Mafia kiss on the lips? Should he 
avoid parking lots? Bidzos felt that most likely the guy was 
probably just venting, but he didn’t want to let the threat go 
unchallenged. He told a newspaper reporter, and the story 
found its way into the local paper. Not long afterward 
Bidzos received a phone call from the NSA guy’s boss. 
Bidzos got an apology. Even if his life wasn’t at risk, though, 
Bidzos felt that the agency wanted him out of business. 


But at least Bidzos wasn’t under the threat of indictment. 
That fate was reserved for his sometime nemesis Phil 
Zimmermann. 


Ever since the release of Pretty Good Privacy, 
Zimmermann had assumed that his biggest problem was 
the intellectual property dispute with RSA. Jim Bidzos 
thought nothing of publicly attacking Zimmermann, and at 
the drop of a fax button, he would zip journalists a copy of 
Zimmermann’s (ambiguously) written promise to stop 
distributing PGP a vow apparently not kept in spirit. But 
Zimmermann never thought that he would find himself 
under criminal investigation. So when two women from the 
U.S. Customs Service in northern California came to visit 
him in 1993, he assumed that they were there at Jim 
Bidzos’s bidding. Indeed, though the investigators wanted 
to know how PGP was distributed, many of the questions 
dealt with PGP’s similarity to RSA’s products. As far as 
technological expertise, the investigators seemed clueless. 
Zimmermann had to explain to them the very basic ideas of 
crypto and software distribution. When they left he felt that 
he had little to worry about. The whole thing was some 
Bidzos harassment, he figured. “I don’t think that there will 
be action against me,” he said at the time. “They raised 
questions about the [export regulations], but I diffused 
that.” 


Not quite. United States Attorney William Keane was 
indeed concerned about a possible export violation. After 
all, within hours of PGP’s release on the Internet, the strong 
crypto program had found its way overseas. It’s unclear 
whether pressure from Washington had anything to do with 
it, but some weeks later, Keane informed Zimmermann that 
he was under investigation for illegally exporting munitions. 
(Kelly Goen, who had identified himself to MicroTimes 


columnist Jim Warren as a Johnny Appleseed of PGP was 
also a potential target.) 


For the next three years, Zimmermann was in legal 
purgatory, investigated by a grand jury but unindicted. His 
lawyers advised him to lie low. But PGP’s fame had given 
Phil Zimmermann a taste for speaking out loud. Besides, he 
felt that his best chance lay in taking the case to the public. 
Whenever he had talked to just plain folks about PGP and 
crypto issues, they had become outraged at the prospect of 
the government’s limiting the ability of people to 
communicate privately. He suspected, with good reason, 
that even techno virgins would be equally indignant at this 
new atrocity: here was Big Brother himself, contemplating 
a prison cell for someone who freely distributed privacy 
software to freedom fighters, lovers, and those who simply 
felt that their secrets were nobody’s business. What’s more, 
the case against Zimmermann himself was weak; he wasn’t 
even the one who'd posted his program to the Net. The guy 
who had had told Jim Warren that he scrupulously limited 
the uploads to American sites. Was the Justice Department 
actually asserting that export restrictions prohibited U.S. 
citizens from distributing legal materials to other U.S. 
citizens? 


Oh, the export regulations. The more you looked at them, 
the weirder they appeared. One recent controversy 
involved Bruce Schneier’s 1994 book, Applied 
Cryptography. It was a technical cornucopia of cryptological 
mathematical theory, explanations of popular 
cryptosystems, and all the algorithms that a security 
specialist or cypherpunk would ever need. The Millennium 
Whole Earth Catalog called it “the Bible of code hackers.” 
But while anyone could ship the physical book overseas, the 
crypto restrictions seemed to ban the export of those same 
contents in digital form. At least that’s what cypherpunk 


Phil Karn found out when he applied for a “commodities 
jurisdiction” (or CJ) to export the book, along with an 
accompanying floppy disk with the same contents on it. 
Officials confirmed that the book could be exported, but not 
the floppy. It seemed absurd. 


So Zimmermann talked, and generated publicity. He 
seldom failed to note that Burmese rebels reportedly used 
PGP to avoid the deadly consequences of being discovered 
in antigovernment activities; in testimony to a congressional 
hearing in 1993 he also noted that he’d received an effusive 
thank-you from a Latvian patriot who claimed, “your PGP is 
widespread from Baltic to Far East and will help democratic 
people if necessary.” When confronted with the charges 
from law enforcement agencies that PGP was particularly 
useful to criminals—in one Sacramento case, the cops 
couldn’t read a pedophile’s diary encrypted with 
Zimmermann’s software—he argued that all technology has 
trade-offs. 


Perhaps the highlight of Zimmermann’s odd celebrity 
came one day in San Francisco when some businesspeople 
decided to take him for an evening on the town that wound 
up at a North Beach strip club. The young lady lap dancing 
in proximity to Zimmermann asked casually what he did. 
“I’m a cryptographer,” he said. “I wrote a program called 
PGP.” 


The lap dance stopped in midgyration. “You’re Phil 
Zimmermann?” she asked in awe. “I know all about PGP!” 


True, cypherpunk sex workers were not everyday 
occurrences. But PGP’s audience was beginning to extend 
beyond techies and privacy nuts. The Wall Street Journal 
described how PGP was used by lawyers maintaining 
electronic confidentiality with clients, authors protecting 


their works in progress from copyright infringers, and an 
astronomer staking his claims to his celestial discoveries. 


In order to entice commercial audiences, Zimmermann 
had licensed the code to a company called ViaCrypt. Since 
ViaCrypt already had paid a licensing fee to RSA, it could 
sell PGP to business customers without fear of a lawsuit. 
(Supposedly paying two license fees was worth it, since PGP 
had become, by virtue of its underground following, a 
wonderful brand.) Beginning in 1994, the main distribution 
point for the much more popular freeware version was an 
unexpectedly mainstream ally, the Massachusetts Institute 
of Technology. Some there, notably professor Hal Abelson 
and network manager Jeff Schiller, believed that the 
Institute should be allowed to provide Americans with 
programs that they were legally permitted to use—and do it 
on the Internet, which was by far the most expedient 
method of software distribution. So MIT stored the latest 
versions of PGP on its Internet server and allowed anyone 
to download it—after asserting that they were, indeed, 
Americans. 


The honor system obviously wasn’t what the government 
had in mind when establishing the export laws. So flimsy 
was the MIT protection against export that copies of PGP 
downloaded from its site were spotted outside the country 
two days after the program was made available. Still, the 
citizenship restriction apparently was sufficient for MIT to 
avoid official complaints, let alone a criminal investigation. 
Not that the government officially approved of the 
arrangement. In one memorable session at a 1995 
conference, MIT’s Jeff Schiller and NSA counsel Ronald Lee 
(who replaced Stewart Baker in 1994) faced off. Despite 
repeated pleas to make some sort of statement about 
whether MIT’s restrictions were sufficient, Lee refused to 
draw even the vaguest guidelines for what was permissible 


and what could land you in jail. Meanwhile, the MIT Press 
published a book (those analog dead-tree artifacts were still 
around) that contained nothing but hundreds of pages of C 
source code—the entire PGP program, formatted so that 
computer scanners and character recognition software 
could easily transform the printed hard copy into a real-life 
industrial-strength crypto product. It seemed almost 
surreal that such a scheme could be legal while a grand 
jury still contemplated indicting Phil Zimmermann, but that 
was the shaky state of crypto export policy in 1995. 


Another crypto rebel faced with intrusions from the nasty 
real world was Julf Helsingius, the Finnish programmer 
who ran one of the first, and certainly the most popular, 
remailers in the world. By 1995, his operation called Penet 
was a shining example of crypto anarchy, stripping 
identification from thousands of messages each week, and 
sending them off on their merry anonymous way. Its 
operator was himself becoming well known in certain 
circles—and reviled by government doomsayers who 
warned that such services would prove the end of civilized 
society itself. But when the real trouble came it was not 
instigated by a government, but a private group: the 
Church of Scientology. 


Scientologists had been routinely incensed by the 
criticisms of unhappy former members on Internet 
discussion groups. In some cases, these apostates had 
obtained church documents and were posting them on the 
Net. Scientology officials wanted to charge these people 
with violating the church’s copyright and trade secrets. But 
since the addresses of the critics were laundered through 
the cypherpunk remailer system—very often on Penet, as it 
turned out—there was no easy way to find who was 
responsible for the messages. 


Then it turned out there was a way. Penet—unlike many of 
the cypherpunk remailers—was “two way,” enabling people 
to respond directly to anonymous postings. This required a 
means for Julf’s system to keep track of who was sending 
messages. First, church lawyers wrote a letter to 
Helsingius, formally notifying him that his service was 
forwarding mail that violated their copyright. Julf politely 
replied that his policy was to keep hands off the traffic 
going through his computers. Didn’t they “get” remailers? 
The lawyers wrote back, threatening legal action. 
Helsingius, in Finland, figured that the chances were slight 
that these faceless attorneys in California could do any such 
thing. Then Julf Helsingius’s phone rang. It was a 
representative of the Church of Scientology, in person. In 
Finland. 


Would Julf like to be taken out for dinner? 


No sense in turning down a meal, Julf figured. He 
suggested a Thai joint. The man was friendly, saying that he 
was a retired policeman, and that all he wanted was two 
things: for the messages to stop, and for Helsingius to let 
him know who was sending them. 


“T’m sorry,” said Helsingius, “I can’t do that.” 


But the Scientologists were not relying on Julf 
Helsingius’s good will to cough up a name. They filed a 
complaint with the Los Angeles police, charging that their 
stolen property was being shipped over the Internet, and 
fingered Julf as someone willfully withholding the identity of 
the thieves. In Finland, that’s a grave crime, sufficient to 
get a search and seizure warrant. 


About a week after apologetically turning down the 
retired cop, Julf Helsingius got another call—from the 


Helsinki police. We have a court order, they told him, and 
must take your computer away so it can be searched. 
Helsingius’s heart sank—he knew that he had to comply. 
(Ironically, if Helsingius had used readily available crypto 
software to encrypt his data and protect his customers, 
such a search would have proven useless. But because of 
“performance reasons”—“the database is huge,” he 
explains—he did not encrypt the contents of his disk.) 


But while Helsingius knew that he had to give up the 
single customer whom the Scientologists wanted, he didn’t 
want to put thousands of others at risk. Fortunately, in 
keeping with the cordial relations Finns have with their 
police, he was able to negotiate a transfer that would not 
require him to turn over the contents of his entire database. 
Helsingius simply copied the e-mail address of the offending 
party onto a floppy disk, and set it on the table, allowing the 
police to take possession of that disk. “I was not too happy, 
but it was a compromise,” he says. 


Helsingius’s troubles were not over, however, because 
another institution of the real world was about to rain on 
his crypto anarchy parade: the media. The same day he 
handed over the disk to the police, a story ran in a Swedish 
newspaper claiming that the majority of all child 
pornography on the Internet was routed through a server 
in Finland. Obviously it was referring to Penet. But Julf 
knew that his service did not distribute such materials, 
since he blocked “binaries” (digital photographs). Not that 
people cared to check. When he tracked down the source of 
the information, it turned out that some child pornography 
ring had forged the headers on porno binaries, making it 
look as if the stuff came from his site when it actually was 
posted from a location in the United Kingdom. Still, the 
publicity was damaging, and became worse when a British 


newspaper repeated the charge, this time citing Helsingius 
personally as the evil middleman of Internet kiddie porn. 


Meanwhile, the Scientology civil case wasn’t going away; 
Helsingius was called to a Finnish court to explain why he 
shouldn’t turn his names over. By then he had taken 
measures to protect the security of the 700,000 e-mail 
addresses on his server. The names still weren’t encrypted, 
but hidden: he’d moved the computer out of his home to a 
storage room at a secret location. And he’d hired lawyers, 
though God knows he didn’t have the money for that sort of 
thing. He claimed to the Finnish court that those who used 
his services were entitled to privacy. But to his dismay, the 
judge ruled that e-mail shouldn’t have the same protections 
as physical mail. The whole thing had taken cyberspace a 
step backward, at least in Finland. 


That was it for Julf Helsingius. “The decision was quite 
clear,” he said. “There’s no way you can run a server like 
mine in Finland.” So on August 30, 1996, he shut down 
Penet. The ineluctable lesson was that while technology can 
provide crypto freedom, the real people who use it must live 
in the real world—where governments and regulators have 
the means to track them down. The real world can make 
things very, very complicated. 


But David Chaum could have told you that, too. 


The maverick inventor of anonymous digital cash—and 
the holder of important patents on electronic money—was 
having a difficult time keeping his company Digicash afloat. 
Though he had assembled a terrific staff of enthusiastic 
programmers and cryptographers at his Amsterdam 
headquarters, there was increasing unrest within the team. 
Chaum wasn’t completing the important alliances he 
needed to get his ideas into the mainstream. The intrigue in 


his little group intensified when one of his former students, 
Stefan Brands, claimed to have devised an alternative 
means to produce anonymous cash, and began exploring 
ways to license these ideas. Chaum insisted that Brands’s 
work was dependent on his. (Brands obtained valid 
patents.) Meanwhile, Digicash was still looking for the big 
deal. 


Digicash had begun an experimental pilot program on the 
Internet called E-Cash. It used a form of scrip, digital 
Monopoly money. But it really was a test run for the 
prospect of true digital cash on the Net, a form of currency 
that would one day usurp folding bills and metal coins. For 
now, though, a user could get 100 “cyberbucks” simply by 
asking. The digital tokens could be e-mailed to friends or 
used to “buy” things from any merchants who decided, in 
the spirit of experimentation, to accept cyberbucks. All of 
this was done anonymously. Though one participating 
merchant was the Encyclopedia Britannica, which took 
Chaum’s pretend money in exchange for its articles, most of 
the extremely limited universe of E-Cash merchants was ad 
hoc operations like “Big Mac’s Monty Python Archive Shop,” 
which offered unauthorized transcriptions of that comedy 
group’s routines for various increments of cyberbucks. 


When Chaum finally did break some news, it was with a 
Midwestern institution with a name more familiar to 
literature students than international financiers: the Mark 
Twain Bank. The idea was to deliver a version of E-Cash 
where the units finally could be exchanged for real money, 
backed by Mark Twain. Then, perhaps, larger institutions 
would jump in. At that point Chaum’s critics—one of whom 
dismissed his ideas as Walden Pond meets the Internet— 
might shut up. But the Mark Twain scheme never took off. 


It wasn’t just Chaum who was having difficulties 
establishing crypto cash as an Internet standard. Electronic 
commerce hadn’t taken off quickly enough, and the still- 
evolving standards of the Net made any sort of crypto-cash 
scheme relatively hard to use. Chaum’s competitors were 
unfettered by the moral obligation to provide anonymity to 
their digital money—they generally felt that people really 
didn’t demand it. But those companies were falling short of 
expectations as well, among them the well-funded start-up 
Cybercash and Mondex, which allowed consumers to 
download money on credit-card-sized smart cards (think of 
a bank cash machine on your personal computer). But those 
disappointments paled beside Chaum’s. It was Chaum who 
had the patents for anonymous digital cash. And when 
Digicash finally filed for bankruptcy in 1998, it was Chaum 
who lost the patents. 


Yet despite the problems and harassments suffered by the 
crypto revolutionaries in the mid-1990s, their larger cause 
kept advancing. Skirmishes and setbacks to the contrary, it 
was the government that was on the run. After Al Gore first 
retreated by promising to amend the Clipper scheme in the 
letter to Representative Cantwell, the administration 
offered to negotiate a compromise with industry, and 
several meetings were held at NIST’s Maryland 
headquarters to try and reach a consensus. Hopes were 
high that some scheme would be reached whereby export 
standards were liberalized and any key escrow would be 
truly optional. Some of the things that the government was 
saying seemed quite reasonable. But when the 
administration’s officials unveiled the final rules, there were 
devils in the details. Bottom line: the export restrictions 
would continue as they always had and Clipper’s rules were 
only partially relaxed (for instance, users would be offered a 


choice of escrow agencies). The plan earned its sobriquet of 
Clipper II. 


Inevitably, it was followed by Clipper III, in 1996. That 
plan had a new angle. The idea was to give cooperating 
companies a carrot—if companies promised to build escrow 
into their future products, they’d be allowed to export 
unescrowed DES-strength crypto now. But in practice, this 
proved no more attractive than the earlier versions. The 
obvious relief would have been a blanket export exemption 
of reasonably strong crypto. Instead the government 
tinkered with variations of its same old policy. 


One continuing problem for the administration was that 
foreign countries regarded any American escrow scheme 
with suspicion. At one point, a “crypto ambassador” was 
sent off to try to convince the world community that sucha 
global solution could work for all. But since he could offer 
no implementation where all countries had equal access to 
keys, his failure was a foregone conclusion. Some members 
of the administration considered this shortcoming the death 
blow to the entire policy. 


Meanwhile, spurred by complaints that American industry 
was losing business to foreign firms selling crypto software, 
Congress was reconsidering a legislative solution. In 1996, 
Senator Conrad Burns of Montana introduced the Security 
and Freedom through Encryption (SAFE) bill, designed to 
lift export restrictions on programs that offered a 
“generally available” level of crypto. (Presumably, this 
included DES and domestic-strength RSA.) The bill also 
addressed fears that the government might one day declare 
that Clipper technology would be the only permissible 
crypto: SAFE would specifically forbid mandatory key 
escrow. Burns, a crusty Westerner who felt more 
comfortable seated on a saddle than in front of a computer 


screen, was tickled at his new reputation as a high-tech 
privacy crusader. But the bill itself sat bottled in committee, 
as legislators still swayed by NSA‘s well-orchestrated 
briefing stifled what the spooks continued to warn them 
was a threat to national security. “Some people here fully 
understand the issue,” complained Senator Patrick Leahy, 
an early SAFE supporter. “But with others, they’re talking 
like it was ten years ago, about an industry where ten days 
is an eternity.” 


If the government’s goal was simply to stall—each day the 
dike doesn’t crack, we win—then its approach could be 
considered a success. But as the cypherpunk attacks 
against export-strength crypto demonstrated—and the 
interception of unencrypted cell phone conversations, 
including the House Republican leadership, dramatized— 
such a policy had its perils. The country lacked a strong 
electronic security system, a vulnerability that became 
more serious as the Internet wound itself more deeply into 
the fabric of American life. 


That, at least, was a key conclusion of a major study by 
the National Research Council (NRC). That organization, 
the research arm of Congress, undertook a comprehensive 
examination of the national crypto policy, and recruited a 
panel of experts from all sides of the issue, including former 
cabinet members, officials from the NSA, and critics from 
business and academia like Ray Ozzie and Marty Hellman. 
Their report, “Cryptography’s Role in Securing the 
Information Society,” was a surprisingly strong criticism of 
government policy, and recommended continued freedom 
for domestic encryption, relaxed export controls, and, 
above all, “a mechanism to promote information security in 
the private sector.” In other words, more crypto. 


Perhaps the most interesting observation of the study 
came as a result of the classified briefings its members had 
received. (Three of the sixteen members declined 
clearances and did not attend.) Though they could not of 
course reveal what they had heard in the briefings, they 
could—and did—evaluate the importance of that secret 
knowledge in determining national policy. Answer: not 
much. “Those [classified] details ...,” the report stated, 
“are not particularly relevant to the larger issues of why 
policy has the shape and texture that it does today nor to 
the general outline of how technology will and policy should 
evolve in the future.” So much for the “If you only knew 
what we know” argument. 


Some people in the administration chafed at that 
conclusion. (In the NSA, there was even some unhappiness 
that the title of the report could be read as an acronym, 
CRISIS.) They conceded that the classified briefings given 
the NRC participants were thorough, but contended that to 
really understand the issue, you have to live and breathe 
intelligence. Sure, Marty Hellman or Ray Ozzie understood 
in theory that it was important to wiretap a crook or 
intercept a terrorist’s call on a cell phone. But every 
morning the president and the vice president got nice thick 
books that zeroed in on the world’s pressure points— 
everything from cracked diplomatic dispatches to the car- 
phone conversations of Russian mafiosi. The Clinton people 
knew damn well that if crypto was universal, significant 
hunks of those books would disappear. 


But that fine point was lost on the general public—and 
indeed on much of Congress, which commissioned the 
study. Instead, the NRC report stood as a call to arms to 
drop the silly restrictions against crypto and start using it to 
strengthen our own systems. After all, it argued, the genie’s 
out of the bottle. And quietly, some of the staunchest 


defenders of government’s control of crypto were 
themselves admitting it, too. 


Then another front opened in the crypto wars. For the first 
time, export regulations were facing a serious challenge in 
the courts. A decade earlier, the NSA’s Bobby Ray Inman 
felt that he had successfully fended off the 1978 opinion of a 
Justice Department lawyer that the export regulations 
violated the First Amendment. But no judge had ever 
addressed the issue. Many legal experts thought that ifa 
ruling did come on the question, it might not be to the liking 
of the crypto community. Indeed, a recent decision involving 
cypherpunk Phil Karn’s legal challenge to export the floppy 
disk version of Applied Cryptography ended in flames. 
Rejecting the idea that the same information permitted for 
export in hard copy should be provided the same privilege 
in digital form, a federal judge had not only denied the 
request but also delivered a withering opinion on Phil 
Karn’s request, virtually accusing him of an immoral attack 
on national security. But that was a sideshow to a more 
important suit: that of Daniel Bernstein. 


Bernstein was a graduate student at Berkeley. He’d 
become interested in crypto and security after someone 
hacked his own computer account in 1987, and thereafter 
wanted to include crypto algorithms in his course work. As 
a reflection of how times had changed, courses focusing on 
cryptography were now almost mainstream. Technically, 
though, regulations seemed to forbid anyone from placing a 
crypto concoction somewhere a foreigner might see it. 
Which was exactly what Bernstein wanted to do. 


Bernstein’s project was inspired, coincidentally, by 
something Ralph Merkle had produced at Xerox PARC in 


1989: a hash function called Snefru. Written in 1990 when 
he was an undergraduate at NYU, Bernstein’s addition to 
Snefru playfully tweaked the illogic of the export codes. He 
knew that while encryption programs were subject to 
restrictions, hash functions like Merkle’s (which don’t 
scramble information per se) were not. So Bernstein wrote 
a program that transformed the hash function Snefru into 
something that could perform encryption and decryption. 
(Think of Snefru as a banned automatic weapon shipped 
through customs without a trigger, and the new program as 
a kit that installs the missing part.) “It takes any good hash 
function and turns it into a good encryption function,” he 
later explained of his creation. He called his crypto package 
Snuffle and wrote a paper to describe what he’d done. But 
he was worried about publishing it, figuring, he later said, 
that “the government might not be too happy about me 
pointing this out.” So he put Snuffle on the shelf. 


But at Berkeley in 1992, he reconsidered. Why not 
publish Snuffle? After all, it was not a commercial product 
but an academic exercise. Since the actual encryption 
relied on an already-published hash algorithm—he 
introduced no original encryption algorithms of his own—it 
presented no threat to the republic, so why would 
publishing it be a problem? The obvious place to release it 
was the sci.crypt discussion group on the Internet. But 
before uploading Snuffle to sci.crypt, he decided to take 
one final precaution to make sure he wasn’t violating any 
laws. He would ask someone in the government if such a 
step was permissible. 


That little step kept Snuffle off the Internet for the rest of 
the twentieth century. 


Bernstein’s first problem was identifying the proper 
government office to handle his request. After a series of 


queries he finally wound up at something called the Office 
of Defense Trade Controls. He sent his letter off in June 
1992. To his dismay, the reply, signed by William B. 
Robinson, the director of that mysterious office, asserted 
that distributing Snuffle without a license would indeed put 
Bernstein in legal jeopardy. 


Okay, Bernstein figured, I’ll go through the formality of 
getting the commodities jurisdiction—the “CJ.” First, 
though, he hoped that the Office of Defense Trade Controls 
would clarify what his rights were, and what appeals he 
might have if he disagreed with a government decision. It 
took him until March 1993 to get someone to talk to him. 
Finally he got Charles Ray, the special assistant to William 
B. Robinson, on the horn. (Bernstein taped his 
conversations, with permission.) Basically, Ray told him that 
his rights were, well, nonexistent. If he posted Snuffle on 
the Net without clearance, and some foe of the United 
States downloaded his program from a terrorist base in 
Afghanistan or an apartment in Paris, Bernstein might have 
to scope out a jail cell for his next home. “There are no 
exempt groups,” Ray told him. “If you’ve got something 
considered technical information covered by the Munitions 
List . . . then being a member of the press [or an academic] 
does not provide you with any sanctuary. ... You can still be 
prosecuted.” But what about the First Amendment? he 
asked. 


“That freedom carries with it a responsibility to comply 
with the existing legislation and regulations” was Charles 
Ray’s interpretation of the U.S. Constitution. 


A month later, Bernstein finally reached Ray’s boss, 
William Robinson, who confirmed that a CJ would be 
required before Bernstein could distribute his work. 
Subsequent conversations with government officials were 


even more frustrating. Not only was Internet posting 
forbidden, but Bernstein might be prosecuted even if he 
placed a copy of his paper in a public library. Of course, the 
National Security Agency became involved, as it always 
does in export cases of new crypto systems. Eventually, 
Bernstein managed to have some conversations with NSA 
representatives, learning that behind the Triple Fence some 
people considered Snuffle “strategic.” This meant, he 
inferred, that it was not trivial to break. “They offered to 
help me rewrite it to make it not strategic,” says Bernstein, 
but he deemed such a move counterproductive. 


So he’d play the game. In September 1992, Bernstein 
filed for five separate CJs. He’d broken the problem up into 
different versions—ranging from English-language 
descriptions of the system to mathematical formulas—“to 
see where they’d draw the line.” Could the government 
consider each one a “defense article”? He still maintained a 
belief that at some point the fog would clear from a 
bureaucrat’s eyes and he would finally realize that Snuffle 
was Simply one graduate student’s academic work, nota 
weapon. But in October 1993, the government replied that 
yes, each one of his mathematical formulas was a weapon, 
“subject to the licensing jurisdiction of the Department of 
State.” 


Bernstein hadn’t begun the process as a rabble-rouser, 
but now he was himself thoroughly roused. He continued to 
pursue the case with a methodical patience that would 
prove devastating to the U.S. government’s eventual 
defense of its export regulations as they applied to Snuffle. 
He appealed the first CJ. When months passed without a 
response, he decided that he needed help. 


His benefactor was John Gilmore, no stranger to court 
battles against the government. The senior cypherpunk 


already had accumulated a file cabinet’s worth of 
documents with Freedom of Information requests originally 
withheld but later kicked loose by legal appeals. Gilmore 
referred Bernstein to a lawyer named Cindy Cohn, who 
took the case pro bono (the Electronic Frontier Foundation 
helped with the costs and coordinated the effort with 
supplementary counsel). In early 1995, Bernstein and the 
EFF filed a complaint against the State Department, 
charging that the export laws were unconstitutional. At the 
center of the case was the contention that Bernstein’s 
computer source code was a form of speech, and that by 
preventing its publication, the government was denying 
Bernstein’s right to express himself. 


That 1978 opinion—that the regulations might flout the 
First Amendment—was finally about to be tested. But few 
thought that a judge would resist the government’s 
inevitable claim that the export laws were crucial to 
national security, and that striking them down would 
unleash the modern-day version of the Four Horsemen of 
the Apocalypse: drug dealers, kidnappers, child 
pornographers, and terrorists. 


The case was tried before Judge Marilyn Patel in the 
Northern California District Court. One of her first acts did 
not seem promising for the plaintiff: she ordered the trial 
exhibits sealed, since the export rules forbade their 
distribution. But as the case progressed, Judge Patel proved 
to be more than sympathetic to Bernstein’s claims. Perhaps 
sensing this, the government tried a number of tactics to 
get the suit out of her court. It reversed itself on two of the 
five CJ determinations, admitting that those particular 
mathematical decisions were simply “technical data.” It 
argued that Judge Patel’s court had no jurisdiction in 
matters involving export law. It filed for immediate 
dismissal. But on April 27, 1996, Patel decided the case 


should proceed. The reason was enough to make a 
government regulator’s blood run cold: Judge Marilyn Patel 
had determined that at least part of the encryption export 
control rules was indeed unconstitutional. Furthermore, 
she accepted the Bernstein team’s assertion that computer 
source code could be considered a form of speech. Which 
meant that the much stricter First Amendment rules 
regarding prior restraint applied to Snuffle. As far as Judge 
Patel was concerned, this wasn’t about keeping a weapon 
within our borders. It was about illegally suppressing an 
opinion. That summer, Patel officially affirmed her 
preliminary decision. 


The government appealed to the higher Ninth Circuit 
court. By then Bernstein had received his doctorate and 
was teaching at the University of Chicago. He wanted to 
teach a course involving cryptography, but because of the 
continuing case, he required a government waiver to do so. 
It took another judicial ruling before he was finally 
permitted to distribute materials about his work—and then 
only to his students. The course was taught without 
discernible damage to the nation. 


But still the case dragged on. Oral arguments before a 
three-judge panel were scheduled for December 1997. 
Conventional wisdom had it that the appeals court would 
strike down what was seen as an impudent ruling from a 
judge who, after all, sat on the bench in wacky San 
Francisco. But in the packed courtroom, a rather harried 
government lawyer, a man of baby-boom vintage with 
experience before higher courts, was questioned harshly by 
the judges. The panel seemed more impressed with 
Bernstein’s advocate, Cindy Cohn, a diminutive woman in 
her early thirties, who, despite an occasional wavering in 
her voice, presented her arguments forcefully. One 
unexpected point she made was that by preventing 


publication on the Internet, the government was failing to 
heed the recent Supreme Court decision that struck down a 
law known as the Communications Decency Act: the court 
had ruled that the Net was a beacon of democracy entitled 
to the highest level of First Amendment protection. Cohn 
also urged the judges to consider the implications of not 
allowing crypto to thrive: was it proper for the government 
to deny the tools that citizens might use to safeguard their 
privacy? 


The three-judge panel pondered the case for more than a 
year, not handing down their ruling until May 1999. For 
Daniel Bernstein, it was worth the wait. By a two to one 
margin, they issued a broad opinion that not only affirmed 
Patel, but also went even further in celebrating 
cryptography itself as a vital component of democracy. 
Crypto should not be merely a state secret, they wrote, but 
also a protector of the people’s privacy. Somehow these two 
technologically unschooled jurists had gotten it. 
“Government attempts to control encryption ... may well 
implicate not only First Amendment rights of 
cryptographers,” wrote Judge Betty Fletcher, “but also the 
constitutional rights of each of us as potential recipients of 
encryption’s bounty.” 


Encryption’s bounty? Judge Fletcher was a cypherpunk in 
robes! 


The afternoon that the decision came down, Bernstein 
was proctoring a calculus exam in Chicago. Only afterward, 
when he checked his e-mail, did he learn that he had 
clobbered the government. 


The government appealed of course—but the export rules 
it was defending were looking less and less likely to survive. 


For years, the crypto dike had held admirably. But now it 
was crumbling. 


It was endgame for the government. 


Oddly, the NSA no longer appeared to be the prime 
obstacle to a solution—behind the Triple Fence one could 
discern a sense of resigned acceptance of the new crypto 
reality. Clint Brooks himself was no longer on the front 
lines, but ultimately the institution he served had come to 
accept his idea of change. Maybe its leaders recognized 
that instead of trying to hold back progress, their efforts 
might be better spent trying to prepare for the inevitable. 
Probably, when the NSA cipher wizards had really thought 
about it, the putative nightmare of crypto everywhere was 
something they felt they could handle—if they were granted 
more funding, of course. Perhaps, as Robert Morris hinted 
in his Crypto ’95 speech, and the cypherpunk-cracking 
effort had indicated, these shiny, “uncrackable” programs 
created by the private sector really weren’t so uncrackable 
after all, and the NSA was satisfied at its ability to get 
plaintext when it needed to. One caper funded by the 
Electronic Frontier Foundation had been particularly 
telling: a team of engineers led by John Gilmore and Paul 
Kocher had built a DES-cracking machine for $210,000. 
(DES, of course, was still deemed a munition too hazardous 
to send abroad in normal circumstances.) Ina 
demonstration at a 1998 crypto conference, the device 
produced the plaintext to a DES message in less than 
twenty-four hours. Obviously, if such machines were 
produced in bulk, obtaining such keys would be dirt cheap. 
One had to assume that the NSA had plenty of similar units 
in its basement. 


In any case, it was the FBI, particularly its director Louis 
Freeh, that kept urging a hard line—even to the point of 


continuing to insist that the bureau should have access to 
plaintext even at the cost of regulating crypto within U.S. 
borders. Freeh had finally managed to get a version of the 
Digital Telephony bill passed, presumably forcing the 
telecommunications industry to design its products to be 
wiretap friendly. (Congressional opponents of the concept, 
however, had foiled its intent by refusing to budget the 
hundreds of millions of dollars needed to implement the 
effort.) But Freeh continued to fear that crypto would be 
the death of wiretapping. Since 1994, he had been 
demanding publicly that if his agents were unable to get 
plaintext from their wiretaps, Congress should institute a 
new era of prohibition by banning unescrowed strong 
encryption. “The objective is to get those conversations, 
whether they’re [conducted] by alligator clips or [by] ones 
and zeros,” he said. “Whoever they are, whatever they are, 
I need them.” But Freeh was no longer a Clinton 
administration favorite, and White House officials shrugged 
off his remarks. 


Not that the administration had given up its hopes of 
stemming the cipher tide. It’s just that with each iteration, 
its anticrypto vision got flimsier and flimsier. White House 
apparatchiks insisted that the changes were all in the spirit 
of Al Gore’s willingness to work with stakeholders in the 
crypto world to find the proper balance between codes and 
snoops. But the only direction that Clinton’s people were 
going was backward. “The boat was getting shelled,” Mike 
Nelson admits. The surest sign that a policy is in big trouble 
is when the words used to describe it are so discredited 
that they require euphemisms. By 1997, the word “escrow” 
became verbum non gratum, despite the fact that 
thousands of Clipper-equipped phones had now been 
purchased, their keys gathering digital dust in the 
prescribed escrow facilities. Now the stated goal was called 
key recovery. A policy that began with the firm controls of 


Clipper—secret algorithms in tamperproof hardware, 
government-controlled escrow facilities—had been modified 
to a software-based scheme where users could choose their 
own, privately run escrow facilities. Another compromise: 
the formerly top-secret Skipjack algorithm was finally made 
public. “We’re not stupid,” one administration official later 
explained. “We listened to the marketplace.” But the 
marketplace—meaning real people trying to buy, sell, and 
use crypto—didn’t want any part of an escrow scheme. 


Meanwhile, Congress was discovering the confidence to 
follow that market, rather than fall prey to the 
administration’s doomsday scenarios. Probably the most 
important factor was the rise of a well-organized lobbying 
effort by the computer industry. Since (now former) 
Representative Maria Cantwell’s kamikaze run at the 
export laws, the high-tech crowd had learned a lot about 
what the white-shoe contingent could do for them. 
Regulatory warriors like Bruce Heiman of the Business 
Software Alliance had made crypto their cause célèbre. 
Their alliances with civil liberties groups like the Electronic 
Privacy Information Center, EFF, and the Center for 
Democracy and Technology gave them populist street cred. 
The lobbyists met with crucial administration officials so 
often that either side could flawlessly complete the other’s 
sentences. And they cleverly identified the legislators who 
would promote procrypto bills, not so much in anticipation 
of actually passing them, but to increase the already 
considerable pressure for strong-crypto détente. The 
lobbyists’ prize converts were a conservative Republican 
from Virginia, Robert Goodlatte, and a new-economy 
Democrat representing Silicon Valley, Zoe Lofgren. 
Goodlatte in particular was a firebrand on the issue, a 
newly born crypto head in pinstripes. “The first thing we 
did was have him spend time with the NSA on this, so he 
could hear the point of view from the other side,” says 


Heiman. After being inoculated by a full-contact classified 
briefing, Goodlatte then was served the alternative reality: 
crypto was already abroad, industry was in danger of losing 
billions, and so on. Once the congressman adopted the 
outsider’s vision, he appeared so often with Internet 
industry leaders that it was a shame he was ineligible for 
stock options. 


Helped by a newly formed industry group called 
Americans for Computer Privacy (those “Americans” were 
thirteen corporations including RSA, IBM, Novell, Sun, and 
Microsoft), Goodlatte and Lofgren educated their 
colleagues on the political benefits of supporting strong 
crypto. In the Senate, the unlikely crypto crusader Conrad 
Burns of Montana took on the administration, backed by 
privacy-savant Patrick Leahy and the senator from 
Microsoft, Washington’s Patty Murray. 


A dramatically different variation on The Briefing was 
coming into vogue in congressional hearing rooms. Instead 
of shrouded conversations about maintaining our successes 
in codebreaking, witnesses were warning of potential 
disasters caused by outsiders screwing up our own systems 
—which were vulnerable, in part, because the world’s most 
advanced technological nation had failed to adopt strong 
crypto to protect those systems. Every corruption of a Web 
site and theft of on-line credit-card numbers seemed to 
reinforce those fears; the conclusions of the National 
Research Council were finally resonating. Even the FBI’s 
Web site got hacked! Capitol Hill was suddenly abuzz with 
the prospects of a “digital Pearl Harbor,” where hackers, 
terrorists, and hostile nations would grind our society to a 
halt by shutting down computer-controlled functions like 
the electrical grid or weapons systems. And though there 
was no magic bullet that might shore up our defenses, we 
did have a powerful tool to protect ourselves: strong crypto, 


the very thing that the administration had been trying to 
suppress! 


By 1999, an emboldened Congress was finally rallying 
around the SAFE bill, the three-year-old proposed 
legislation to relax the export rules. In fact, a majority of the 
House—258 members—had signed on as cosponsors. In the 
Senate, the news for the administration was no better. Its 
leader in the fight against relaxed export controls had been 
John McCain, the former Vietnam prisoner of war whose 
credibility on such matters was unimpeachable. A bill 
McCain and Senator Bob Kerry had introduced in June 
1997 would deny the services of any future government- 
sponsored “certificate authorities” (agencies to distribute 
and authenticate public keys, a necessary component in a 
full-blown crypto infrastructure) to those who refused to 
escrow their keys—potentially giving citizens the choice of 
either using Clipper-type schemes or losing their ability to 
participate in the electronic society. But by 1999, McCain 
had looked more closely at the issue (and perhaps its 
impact on his pending presidential run). In a stunning 
switcheroo, McCain suddenly turned into Mr. Crypto, a 
vocal supporter of the SAFE bill. 


Was it time for the administration to finally toss its export 
forms in the air and yell “ciphertext”? Apparently so. Even 
though the administration never really believed that 
Congress would pass a bill demanding liberalized exports— 
the system was too convoluted to tackle, the risk of 
compromising national security too dicey, and in any case 
there was always the promised presidential veto—the White 
House was distressed and anxious that votes in the 
subcommittees kept the issue alive. More to the point, the 
Clinton people began pondering the potential consequences 
of a national disaster resulting from a lack of crypto—for 
which they could be blamed. Sure, allowing crypto exports 


could be dangerous, they figured, people may die... but on 
the other hand, if someone attacked an unprotected digital 
infrastructure ... people may die! As one White House 
policy maker later explained, it came down to how they 
would die: “Do you want them shot out of the sky with a 
surface-to-air missile, or do you want the floodgates on the 
Grand Coulee Dam to be rewired?” If the whole issue boiled 
down to six of one against half a dozen of the other, what 
was the sense of fighting such a thankless, uphill battle? 


In September 1999, Al Gore—himself preparing for a run 
at the White House—announced that a new set of 
regulations would be unveiled in December: the net result 
of which would be permission to export consumer-directed 
crypto products in any key length. So drastic a change was 
this that upon being briefed on the policy, Curt Weldon, a 
Pennsylvania congressman who had carried serious water 
for the administration in fending off the SAFE bill, could not 
contain himself. How can you be implementing this policy? 
he shouted. For years, you’ve been telling us that exports of 
strong crypto will compromise security and empower 
criminals. And now you're telling us you’ve changed your 
minds? 


“Tt’s over,” concluded Stewart Baker, who since leaving 
the NSA in 1994 had returned to his law firm to practice 
cyberlaw. Some suspected that the whole thing was yet 
another government stalling tactic; at the last moment, the 
regulators would unveil a plan loaded with fine print that 
represented very little change. Just like Lucy snatching 
away the football when Charlie Brown was ready to boot it, 
they imagined, the NSA and the FBI would once again deny 
the crypto community the ability to export strong keys. But 
by now it was clear that the game could have fewer and 
fewer iterations before Charlie would finally, inevitably put 
toe to pigskin. 


This time, in fact, the government made good. The first 
draft of the regulations seemed to dictate an alarming 
amount of red tape before strong crypto could be granted 
an “automatic” exemption—but tactful yet firm opposition 
from the Goodlatte-Lofgren faction and the industry led to a 
more commodious second draft. Not perfect, but sufficiently 
straightforward to assure even the paranoid that this time 
the good stuff could be sent abroad. No longer was a 56-bit 
DES key, or even keys of 64, 80, 128, or more bits, 
regarded as a deadly weapon. 


If was official: public crypto was our friend. 


A few days into the new millennium, it was time for the 
tenth-anniversary gathering of RSA’s annual cryptography 
conference. The gathering now had outgrown San 
Francisco’s largest hotels and was held at the mammoth 
San Jose Convention Center. It had become a huge crypto 
bazaar with a conference program with five separate tracks 
of seminars and over ten thousand people in attendance. 


Almost every year at the show, one of the keynote sessions 
tracked the progress, or lack of progress, of cryptography 
in the political realm. It would play out almost like Kabuki 
theater, with aggrieved representatives from the 
commercial, academic, or civil liberties world griping about 
the intransigence of the government. Then some unlucky 
emissary from the administration—an assistant attorney 
general, an NSA lawyer, a White House techno-policy wonk 
—would lecture an unforgiving crowd about the ineffable 
balance between privacy and national security, perhaps 
inflaming the gathering by an ill-placed “If you knew what 
we know” reply to one of the inevitably hostile questions. 
But this year it was different. Jim Bidzos came to the 


podium with a bottle of champagne, offering it to the people 
from Justice and the NSA on the panel. The fight is over, he 
was Saying, and our guys won. 


Bidzos himself was no longer working full time, partly as a 
consequence of the June 1996 acquisition of RSA Data 
Security by an East Coast computer security firm called 
Security Dynamics. (Weeks before the January conference, 
the purchasing company decided to change its name and 
was now Called RSA Security, Inc.) The price tag was 
around $300 million, of which Bidzos himself took in $40 
million. Some think that the sum might have been even 
higher—or RSA might have been able to pull off its own 
billion-buck Internet IPO—had it not been for the 
acrimonious breakup of Public Key Partners, when lawsuits 
flared between RSA Data Security and its partner Cylink. 
The people at Cylink had become unhappy with the 
arrangement, and also frustrated that the original 
agreement did not allow them to exploit RSA technology 
freely in their own products; they went so far as to 
challenge the validity of the MIT patent on the 
breakthroughs of Rivest, et al. (A remarkable action, since 
Cylink, through PKP received a share of the royalties from 
that patent.) Bidzos and his colleagues, meanwhile, were 
livid that Cylink had developed an RSA-based product for 
the global transaction clearinghouse SWIFT. The suits were 
finally settled in late 1996, with the assistance of a federal 
judge. Both sides claimed victory at the complicated 
settlement (Bidzos noted that there were no findings that 
RSA had acted improperly) but valuable energies had been 
expended—while the patents themselves inched closer to 
their expiration dates. 


Not long after the sale, Bidzos figured he’d be happier 
with less involvement in the firm. He’d moved into a Marin 
County mansion, owned a sleek posse of BMW motorcycles, 


sampled exotic bottles of wine, practiced classical guitar, 
flew his minifleet of airplanes, and checked on his 
impressive stock portfolio. Investments had made him a 
millionaire many, many times over—his personal stake in 
the VeriSign digital certificate company alone (which he 
cofounded) was worth more than the money he cleared in 
the RSA sale (a stake that had itself now grown to over 
$100 million). His main job was now as a quasi-ambassador 
of the commercial crypto cause, and his main visibility came 
at the annual conference. 


Diffie was there, of course. Still unrepentantly longhaired 
and strikingly bearded, he cut a startling figure in one of his 
bespoke suits. Though not wealthy by Silicon Valley 
standards, the few million dollars he had received from his 
patents and RSA stock made him quite comfortable. He and 
Mary Fischer were still together, still very much in love, 
though their one-time petting zoo was now down to two 
Tibetan mastiffs. 


Rivest, Shamir, and Adleman attended as well. Rivest was 
now a well-respected graybeard, still on the MIT faculty but 
wealthy from his RSA holdings. He was still doing original 
crypto research. Shamir was even more active in the field, 
brainstorming everything from systems for digital cash 
micropayments to a new computer that could factor huge 
numbers. But Len Adleman was pretty much out of crypto, 
working instead on schemes that combined mathematics 
with organic chemicals, like DNA computers. 


Some key cryptographers and figures in the struggle 
didn’t make it to San Jose for the event. Ralph Merkle, too 
busy with his work at Xerox PARC in the field of 
nanotechnology, couldn’t find the time to accept an award 
bestowed by RSA for significant contributions in the field. 
And Ray Ozzie was immersed in the development of his first 


major project since Notes: within weeks he would receive— 
fifteen years after his first frustrating contacts with the 
NSA—export clearance to ship 2048-bit RSA keys, 256-byte 
RC-4 (yes, byte—eight times more than bits!) keys, and, by 
the way, clearance for plain old DES as well. 


Another unfortunate no-show was David Chaum. Had he 
attended, he might have seen plenty of things he liked. 
Anonymous crypto solutions like Chaum’s were increasingly 
cited as an antidote to the unwanted transmission of 
personal data. One start-up prominently displaying at the 
conference trade show was a Canadian company called 
Zero Knowledge that sucked up millions in venture capital 
to launch its “Anonymizer,” a Web site that allowed people 
to surf the Net without leaving their digital footprints 
behind. 


And though Julf Helsingius didn’t venture from Finland 
for the conference, his ideas still flourished. At the monthly 
cypherpunks meeting held the weekend before the event, 
there was the usual discussion of a new generation of 
remailers called “mixmasters,” which used an improved 
technology to make encrypted anonymous Internet 
messaging easy to use and devilishly difficult for 
governments to unravel. 


Phil Zimmermann, however, did manage to attend the 
conference. On January 11, 1996, the government had 
officially dropped its investigation of him and his co-target, 
Kelly Goen. To celebrate, Zimmermann’s wife had tossed a 
“Phil Got Off the Hook” party at the Rocky Mountain Peace 
Center. Not long afterward, Zimmermann decided to move 
to Silicon Valley and start a company, Pretty Good Privacy, 
Inc., to produce the software commercially. (An RSA lawsuit 
filed against the new company for copyright infringement 
was eventually settled, with PGP paying normal royalties for 


public key protocols.) But PGP Inc. was short-lived. 
Admittedly the kind of guy who couldn’t balance his own 
checkbook, Zimmermann turned over the operations of his 
company to businesspeople who went through millions of 
dollars in barely the time it takes to calculate a long prime. 
The new company acquired other firms, had splashy 
displays at trade shows, and pursued an overly ambitious 
plan of transforming itself into a full-service security giant. 
Finally, the nearly broke company was sold to an 
established personal computer security firm, Network 
Associates. Zimmermann was kept on as the official head of 
PGP but his contribution came not so much as a software 
developer but as a living symbol of strong cryptography. It 
was in that iconic role that Phil Zimmermann attended the 
2000 RSA conference; his best moment came at a Network 
Associates party on the event’s second night. Standing ata 
computer keyboard, he made a big show of mouse clicking 
a file transfer that launched a copy of commercial PGP 
abroad. Only a few years earlier, the government wanted to 
throw him in jail for the same alleged act. 


Later in the conference came a series of sessions focused 
on a so-called crypto bakeoff run by NIST to choose a 
successor to the now-ancient Data Encryption Standard. In 
contrast to the selection of DES, which was made after 
closed-door meetings with its creators and agreements to 
keep its design principles secret, the Advanced Encryption 
Standard was being run as an open competition, with the 
winner to be chosen by 2001. Not only the algorithms 
themselves but also the design considerations were 
completely public. All, as required by NIST, were much 
stronger than DES, with minimum 128-bit keys. It would 
have been difficult to argue for strong restrictions against 
the export of the algorithm in any case, since more than 
half of the contenders were written by cryptographers 
outside the United States. 


It had taken more than twenty years since Whit Diffie’s 
discovery—so long, in fact, that in just a few months into the 
new century, the suite of patents covering public key and 
RSA would one by one reach their expiration dates—but the 
era that Diffie had dreamed of was finally beginning. Ina 
keynote speech following Bidzos, a vice president at 
Microsoft announced that its new operating system, 
Windows 2000—variations of which would undoubtedly find 
their way into almost every personal computer sold in the 
new century—would have 128-bit crypto built in, with 
government clearance to export it. And Apple Computer 
was already shipping strong crypto in its new operating 
system. 


And, of course, crypto was already a component in every 
Web browser, enabling the secure transfer of credit-card 
numbers and financial information. In 2000, there would be 
over $80 billion worth of e-commerce transactions—a 
number that was estimated to eventually shoot into the 
trillions; virtually all of that was protected by RSA crypto. 
And later that year, a national digital signature bill would be 
passed, finally clearing the way out of the logjam caused by 
the administration’s foot-dragging back in 1992. President 
Clinton would sign the bill electronically. 


The once-forbidden technology was suddenly the new 
panacea. It was envisioned that the solution to the pirated, 
downloading of music and films would be... crypto. In 
addition, crypto was the secret sauce of protected 
corporate discussions used in “virtual private networks,” a 
hot business trend that allowed snoop-proof conferencing. 
The movement of medical records to the on-line world 
would be possible only with crypto. And crypto was 
expected to be an essential component in the next 
generation of the Internet, where all of us would 
communicate with non-personal-computer “devices” 


ranging from palmtops to phones to kitchen appliances. We 
would be wired and wirelessed up the wazoo, and crypto 
would be our privacy safety net. 


To be sure, its revolutionary impact would be stealthy. The 
hundreds of millions already using it in browsers and 
operating systems, for instance, knew nothing of Whit Diffie 
and the others, even as their machines silently made key 
exchanges and scrambled, unscrambled, and successfully 
completed transactions with secrecy that would stagger the 
medieval occultist Trithemius, stun autokey wizard 
Vigenére, and perhaps bring a wistful smile to Lucifer’s 
creator, Horst Feistel. Why didn’t it happen sooner, as Diffie 
had expected? Because it wasn’t until the Internet that it 
had to happen. 


So there was reason to celebrate at the 2000 RSA 
conference. But those wondering why the turnaround had 
come so quickly would have found a succinct answer one 
year earlier—same season, same place, at the 1999 
conference. That event had opened with the soaring 
vocalists of the Oakland Interfaith Gospel Choir. Decked out 
in electric blue robes, they filed onstage, booming out a 
holy-roller version of the rock song “I Still Haven’t Found 
What I’m Looking For.” The lyrics had been changed to 
refer to the long struggle for widespread, strong 
encryption. But when Jim Bidzos himself hit the stage, 
similarly berobed, his preacherlike testimony presciently 
claimed that the clouds were parting, the rainbow just 
ahead. If not crypto anarchy, he knew, crypto ubiquity was 
on the way. He realized that for all those years he’d been 
flogging the public key dream, he’d been pushing a boulder 
uphill. But the problem hadn’t been only the government or 
the export regulations, but the product itself. Public key 
cryptography was a mathematical marvel, but it had 


actually been born too soon. Twenty years ago, it was a 
solution whose problem hadn’t fully materialized. 


No more. Not when every desktop had a computer on it 
and was connected to the Internet. Not when nearly every 
lap had one of the things, too. Not when phones were 
beginning to get hooked to the World Wide Web, along with 
set-top television boxes, and even videogame consoles. 
Certainly not when all those Net-connection devices were 
being used to shuttle everyone’s private information, and 
even their credit cards. Especially their credit cards. 


Jim Bidzos looked at his audience and made his own joyful 
gospel sound: “We’ve found the problem to the solution,” he 
said, “... and it’s e-commerce!” 


epilogue: the open secret 


flashback to 1969. Whitfield Diffie is just beginning to 
cogitate on cryptography. Marty Hellman isn’t working at 
Stanford yet. Ralph Merkle is still in high school. The world 
of high-level codes is owned and operated by intelligence 
agencies. And would be, until the invention of public key by 
Diffie, Hellman, and Merkle, and its implementation by 
Rivest, Shamir, and Adleman. Their mind-blowing ideas that 
would smash the monopoly of the spooks were years away. 


James Ellis wasn’t the type to call himself a spook. True, 
he worked for General Communication Headquarters 
(GCHQ), the British counterpart to the National Security 
Agency. But he preferred to describe his agency, along with 
its NSA cousin, as “the closed community.” He was a 
member of a clan driven by patriotism, pride, and the 
simple need to bring home a paycheck. If brilliant work was 


done, it would be acknowledged privately, within the 
bounds of the secret society. James Ellis’s brush with 
brilliance was a prime example. He was the real inventor of 
public key cryptography. And for almost thirty years, 
virtually no one knew it. 


Ellis’s colleagues would never have pegged him as a likely 
candidate for a breakthrough that could change the very 
rules of their science. He was seen as capable of good ideas 
but at heart more of a dreamer. Some thought him a 
borderline wacko. He was an Australian-born orphan who 
had been raised by grandparents in the East End of 
London. He’d joined GCHQ, located in the Cotswolds town 
of Cheltenham, in the 1950s, after attending Imperial 
College. Ellis understood that he was entering a world 
where communication about one’s work with the outside 
was Strictly forbidden, now and forever. The job was to 
work for one’s country; dreams of personal ambition and 
public recognition were to be put aside. “The fullest value of 
cryptography is realized by minimizing the information 
available to potential adversaries,” Ellis would write. 
“Professional cryptographers normally work in closed 
communities to provide sufficient professional interaction to 
ensure quality while maintaining secrecy for outsiders.” 


This sounds rather lofty, but in truth Ellis’s assignment 
did not place him in the white-hot center of international 
intrigue. “I think in some ways,” says Malcolm Williamson, 
who as a future colleague would have his own role in this 
story, “he was sort of sidetracked. At least my impression 
was that he was working on not really critical stuff and not 
really slated to be in charge of big projects or anything like 
that.” 


“He was an almost classic English eccentric: nice, 
disorganized, shambling around,” says Nick Patterson, who 


arrived at GCHQ in the late 1960s. “Some managers wrote 
him off as a nutcase, but he was full of ideas. Half of them 
were ridiculous, but half could be brilliant.” 


Most people, though, saw only the strange fellow who 
habitually spooned instant coffee from a hand-mixed jar 
containing Nescafé and sugar—he thought it was less 
efficient to add the sweetener every time he made a cup. 
Another obstacle to the recognition of his talents was an 
inability to express some of his insights clearly. “He was the 
worst technical public speaker I’d ever seen,” says one 
colleague. “Listeners would consider his talks an absolute 
ordeal. Ellis would typically begin a talk by apologizing that 
he’d been asked to give a presentation on something he 
knew nothing about, then he’d go on for twenty minutes in 
some bizarre direction. But then—and this is why his talks 
were attended at all—without fanfare, he’d slip in 
something amazing.” 


Ellis himself was somewhat bitter that one of the best 
ideas he’d ever had had been wasted. A longtime fanatic of 
radio design, he had come up with a certain kind of audio 
circuit that would provide better reception. He actually 
patented his idea, and a company offered to try building it 
into its radios. But apparently the company’s engineers, 
under orders to save money by cutting down on 
components, butchered his design. As a result, the radio 
reception was unexceptional. The fiasco was always a sore 
point with Ellis. 


In 1969, Ellis, then in his forties, was working in the part 
of the agency called Communications Electronics Security 
Group (CESG), in what was probably the most appropriate 
position for him: a group of maybe a half dozen researchers 
working on long-range projects. Blue sky stuff. He had just 
rejoined CESG as a senior scientist after a stint at the post 


office, presumably helping on security issues. And now he 
found himself working on a problem that most people 
believed was unsolvable. 


In the 1960s, the intelligence establishment was just 
beginning to consider the revolution in computers and 
wireless technologies, and the subsequent huge demand to 
provide protection for government communications that 
went over these channels. But while devices to perform 
encryption had gotten cheaper, one part of the process 
hadn’t changed fundamentally since World War II. This was 
the means of distributing and holding cryptographic keys. 
The restrictions needed to protect those keys acted as a 
bottleneck: for every two people wishing to communicate 
securely, a brand-new secret key had to be generated for 
that particular conversation. Thousands of people were in 
the classified loop; that meant literally millions of keys to 
move securely and protect. The problem was essentially the 
same one that would soon bother Whit Diffie: the hair- 
pulling complexity, and the security risks, that came from 
managing this vast number of keys. 


It was a tough problem, and of course no one expected 
James Ellis to solve it. After all, certain rules of 
cryptography seemed as firm as the laws of physics. And 
what law was more certain than the one which assumed 
that secret keys used to encrypt communications should 
never be placed in a position where outsiders could 
intercept them? But Ellis, according to another colleague, 
Clifford Cocks, “was the sort of person who, whatever the 
problem you’d give him, would always start by challenging 
the basic assumptions, coming up often with questions that 
pointed to the invalidity of the assumptions you were 
working on—assumptions that maybe were stopping you 
from getting the solution.” In attempting to crack the key 
management problem, almost any cryptographer would 


rule out of hand any solution that involved sending secure 
messages when not only the method of encipherment is 
known to the potential interceptor, but every transmission 
is assumed to be as equally accessible to the snoop as to the 
intended recipient. Including the transmission of key 
material. Even Ellis doubted that it could be done. “It was 
obvious to everyone, including me,” he later wrote, “that no 
secure communication was possible without a secret key, 
some other secret knowledge, or at least some way in which 
the recipient was in a different position from an interceptor. 
After all, if they were in identical situations, how could one 
possibly be able to receive what the other could not? Thus 
there was no incentive to look for something so clearly 
impossible.” 


Ellis would soon get that incentive. It was an unsigned 
paper that had long been buried in the mountain of secret 
material accumulated inside the boundaries of the shadow 
world. It described a project conceived by Bell Telephone 
during the final days of World War II, one that had been 
quickly classified and forgotten. The scheme was part of 
something called Project C43, a primitive yet ingenious 
experiment in analog voice scrambling. Say you want to 
send a message over a phone line and suspect that 
someone is listening. How can you keep the message 
secure? The anonymous Bell scientist postulated that the 
person who wants to receive the message should simply 
add noise to the line. When the message gets sent, it will be 
intermingled with the noise so that an eavesdropper will 
hear only garbage. But the recipient, who knows precisely 
how that noise was generated, may be able to subtract that 
noise from the transmission—and wind up with the original, 
unscrambled message. 


For purposes of modern cryptography, Project C43 was 
useless. For one thing, it was an analog model and now 


everyone used digital communications. But Ellis found it 
exciting: here was a system where the sender of a message 
didn’t have to worry about whether a potential enemy was 
listening, even if the foe knew how the system worked. 
What made this possible, Ellis realized, was that, in contrast 
to conventional cryptography, the recipient is actually a 
collaborator in the process of encryption. “Secure 
communication,” Ellis would write, “was at least 
theoretically possible if the recipient took part in the 
encipherment.” 


Could such a system work with real-life digital 
cryptography? Ellis decided that the heart of the matter 
was a heretical issue: whether a secure, digitally encrypted 
message could actually be sent without any keys being 
exchanged in advance. According to his later account, that 
actual question popped into his head one night after he had 
gone to bed. And only a few minutes later, he had his 
answer. 


Yes. 


Sitting there in the dark in his Cheltenham bedroom, he 
came up with an existence proof for the question. And his 
name for it would embody the contradiction: Non-Secret 
Encryption. 


Ellis’s scheme was centered around a set of three 
mathematical transformations. A recipient, Alice, would use 
two of these and a sender (hello again, Bob) would use a 
third. A third, unwelcome party, Eve, is a potential 
interceptor who also has access to these functions, since 
they are, in this scenario, public knowledge. The process 
begins by a crucial act suggested to Ellis by Project C43: 
the potential message recipient gets involved in the 
scrambling process. Alice starts by generating a large 


number chosen at random—this, in effect, is a secret key 

that only she holds. She does this by performing a certain 
mathematical function to transform the key to a different 
number. Then she sends that number to Bob. 


This new number is analogous to what Diffie and Hellman 
would later call a public key. Since an important property of 
the mathematical function is that it cannot be calculated in 
reverse, even those who have this second, nonsecret 
number, and also know what function produced it, cannot 
do an inverse calculation to retrieve the first, secret 
number. This is something that will remain known only to 
the recipient, Alice. 


Now that Bob has this nonsecret number, he uses it with 
a second function to scramble the private message he has 
for Alice. Then he sends the scrambled message to Alice. 
How does Alice restore the message back to its original 
plaintext form? With the third mathematical function, she 
uses her original, secret key essentially to strip the 
encryption from the message. Alice can now read it, and 
Eve can do nothing but gnash her teeth. 


In effect, the nonsecret key acts like the line noise in 
Project C43: although any eavesdropper can hear the noise 
on the line, only the recipient knows how the noise was 
generated (this information being the equivalent of a secret 
key), and thus only the recipient can strip out the noise (or, 
in this case, perform the proper function) to restore the 
scrambled message to its original, clear form. By figuring 
out a scheme that adapted the principles of that project to 
the digital age, Ellis had potentially changed the rules of 
cryptography. Since these non-secret keys did not have to 
be protected, it was possible to have secure 
communications without prior arrangement. This meant 
that field personnel would not have to be provided with 


symmetrical keys beforehand, keys that then had to be 
fanatically protected. It was now possible to conceive of 
protected communications on a much vaster scale. 


It had not been Ellis’s specific assignment to create a 
revolution in cryptography, but now he had to deal with the 
possibility that he had done just that. Certainly, the very 
basis of the idea—its “nonsecret” element—was so 
seemingly antithetical to the practice of cryptography that, 
to some GCHQ muckety-mucks, striking down Ellis’s thesis 
was a blow for the natural order. 


In any case, the idea had to be vetted. In July 1969, a 
draft of Ellis’s paper was sent to the GCHQ chief 
mathematician, Shawn Wylie. If God was in His Heaven, 
surely the mathematics staff, or perhaps the chief himself, 
would find a fatal flaw in this system. It took months for 
their results to be reported, but just before Christmas that 
year, Wylie wrote his summation. “Unfortunately,” he wrote, 
“I can’t see anything wrong with this.” 


But, the mathematician noted, Ellis had come up only 
with a proof that such a system could exist—not the system 
itself What was missing was the means to assure that there 
was a secure way of generating a “nonsecret” key from the 
original private key. You needed to be sure that the Eves of 
the world, who after all would have free access to the 
nonsecret key, could not reverse that first process and 
discover the secret key. Ellis had conjectured a set of look- 
up tables that would perform the various scrambling and 
descrambling calculations, but had not come up with the 
specific functions themselves. Until they were discovered— 
and skepticism ran rampant that this was even possible— 
nonsecret encryption could only be seen as a curious 
theoretical anomaly. And nothing more. 


“The conclusion,” says Clifford Cocks, “was ‘This is really 
wonderful, this is ingenious, it’s really clever, but how will 
we ever be able to make use of it?’ ” 


Ellis did not sugarcoat this problem when he formally 
wrote up the scheme in January 1970. But neither did he 
shy away from the implications of his idea. The internally 
published—and of course, classified—paper was entitled 
“The Possibility of Secure Non-Secret Encryption” 
(emphasis added). “It is necessary to distinguish carefully 
between fact and opinion, i.e., between that which has been 
actually proved and that which seems likely,” he wrote in 
the conclusion. “It is particularly difficult to do this in this 
case because we have established something which, to most 
people, seems inherently impossible.” In fact, he continues, 
the concept is not impossible because he had “rigorously” 
proven that his scheme was “theoretically plausible.” 


Only one step was required, then, to produce a 
revolutionary means of encryption, and that was finding the 
proper mathematical functions. Not so easy. Ellis’s concern, 
even as he set about the search, was that his mathematical 
skills were not up to the task. (He was an engineer by 
training.) And despite the apparent advantages that a non- 
secret system would offer, GCHQ didn’t think it worthwhile 
to assign much brainpower to aid him in the quest. Still, at 
various times over the next few years, some CESG 
cryptographers would come across the paper and work on 
possible solutions. In 1971, a new chief scientist took an 
interest in the problem and did assign some people to 
spend a bit of time seeking a solution. But while those 
looking for the mystery functions developed an 
understanding of what the characteristics of such things 
might be, nothing they tried was successful. The high 
ground seemed to belong to those insisting that the whole 
concept was preposterous. 


It is unknown to what degree, if any, the NSA participated 
in this process. Dating from the collaboration of their 
respective predecessors in the days of Bletchley, GCHQ has 
shared confidential secrets with its so-called cousins in 
America. Yet there is no evidence that NSA efforts were 
being expended on nonsecret encryption at this point. The 
papers released by GCHQ indicate that the work in this 
field was limited to those few CESG cryptographers who 
had access to the project and interest in playing with it. And 
as a solution seemed less likely, those were becoming fewer. 


That is where Clifford Cocks plays his role in the story. In 
1973, Cocks was a recent CESG hire. Born of middle-class 
parents—his father was an accountant—Cocks had been 
bright enough to pass the exams for Manchester Grammar 
School, a competitive independent school with a solid 
academic reputation. From there, he had gone to Kings 
College, Cambridge, for an undergraduate degree in math. 
Then he took a year of graduate study at Oxford, working 
on number theory. “I wasn’t making real progress,” he 
admits. So, where to work? Though he didn’t know much 
about GCHQ, and really hadn’t thought about cryptography 
as a focus for his work, he knew that the secret agency 
needed mathematicians. Also, one of his childhood friends, 
Malcolm Williamson, was already working for GCHQ. (When 
the government investigated Cocks’s application, they took 
special notice of this, presumably fearing that there might 
have been something sinister in the coincidence.) So, at age 
twenty-two, in September 1973, Cocks entered the closed 
community. 


The prospect of not having papers distributed publicly did 
not bother Cocks. “I was happy about it,” he says. There 
would be no pressure to compete with the geniuses of 
academia. The lack of results in his student research led 


him to think that his contribution would lie more in the 
practical efforts he would devote to his government. 


When people arrived at GCHQ, they were given a mentor, 
“to teach you the ropes and tell you what you need to 
know,” says Cocks. His was Nick Patterson, another former 
Cambridge mathematician. Patterson, who had been a 
chess prodigy in his native Ireland, was himself only a few 
years older than Cocks. But he had been identified as an 
up-and-comer. One day at teatime, about two months after 
Cocks’s arrival, Patterson mentioned Ellis’s idea. He 
presented it to the younger man not as a challenge to 
implement a new form of cryptography, but as more ofa 
puzzle. “Nick explained it to me very mathematically, in 
terms of wanting a nonreversible function, with a property 
where you could encrypt and decrypt with the input of this 
function,” says Cocks, who thinks that it was an advantage 
that he didn’t actually see Ellis’s paper. This way he could 
approach the problem with no preconceptions. Since he 
had done his research the previous year in number theory 
—working with large primes and multiplication—it made 
sense to him to use that knowledge to, he hoped, implement 
Ellis’s theory. 


“T suppose it was actually also helpful that I wasn’t doing 
anything that evening,” he adds. Because that night he 
walked back to the modest room he rented in Cheltenham, 
ate the dinner cooked by the woman who let him the room 
in her family home, and sat down to think. Because of the 
secrecy imposed by GCHQ in all things concerned with his 
work, he had certain limitations. He could not bring 
anything home from his office, and if he pondered a work- 
related problem “in digs,” he was not permitted to write 
anything down, not even notes on wastepaper. The only 
material he had was his brain. “Happily,” he said, “the first 
idea seemed to work just fine.” 


The idea was more than just fine—it was elegant. “If you 
wanted a function that couldn’t be inverted,” he says, “it 
seemed very natural to me to think of the concept of 
multiplying quite large numbers together.” Cocks figured 
that the secret “key” in his implementation would be two 
huge primes, generated on the spot by the recipient, Alice. 
The product would be the nonsecret key, the number given 
to the sender, Bob. (Bob could also find this number in a 
publicly distributed directory.) Cocks then figured out a 
simple mathematical formula in which Bob could use that 
nonsecret number to encrypt the message in such a way 
that it could only be decrypted by a person who knew the 
original primes. 


The formula was virtually the same as what we now call 
the RSA algorithm. Clifford Cocks, in one evening, had 
produced what, three years later, would be rediscovered by 
three soon-to-be famous MIT mathematicians after a four- 
month period of intense trial and error. 


Clifford Cocks recalls that it was probably around seven 
or eight o’clock when the first public key implementation in 
the world was discovered. “This is very interesting,” he 
thought to himself. Then, after he had mapped it out in his 
head, he went to sleep. “I went back to work the next 
morning and wrote it down,” he said. 


He put the short paper on Nick Patterson’s desk and 
waited for his mentor’s reaction. Patterson, admitting to “an 
Irish excitability,” reports that “I went kind of crazy.” He 
literally dashed down the corridor to the office of the 
Communications Security specialists forty yards away, flung 
open the door, and shouted, to the astonishment of the 
stodgy bureaucrats planted behind their desks, “This is the 
most important cryptographic discovery of the century!” 


That, however, was a minority opinion. Even Cocks at that 
time felt that it was more a clever solution to a math puzzle 
than a practical landmark. Certainly, as word began to get 
around CESG that someone had found a way to implement 
James Ellis’s strange idea, no one treated it like the Second 
Coming or anything. “People said, ‘Ha, ha, now here’s a 
method,’ ” Cocks recalls. 


No one seems to remember the moment James Ellis 
heard about Cocks’s discovery. “I think it would have 
happened that morning,” Patterson guesses. “He was very 
happy.” But Ellis was also cautious—fearful, perhaps, that 
GCHOQ would still not treat the idea with the seriousness it 
deserved. Cocks himself does not remember his first 
meeting with Ellis, whom he would come to know in the 
coming months. 


Cocks got a go-ahead to write a paper on his idea, and he 
mentioned this to his friend Malcolm Williamson. (Even 
though Williamson was at the time living in the same house 
as Cocks, the conversation had to take place at work, since 
work-related exchanges were verboten outside GCHQ 
walls.) This was sort of a one-up move, since it was fairly 
unusual for a young recruit to be circulating a paper so 
quickly after arriving. The announcement got Williamson’s 
attention, and he listened closely as Cocks explained the 
problem he had tackled and how he had solved it. 


Williamson had known Cocks ever since he was twelve— 
he also had attended Manchester Grammar. Williamson, 
too, was of the middle class; his father was a salesman for a 
textile company. Since both Cocks and Williamson excelled 
at math, there had been a friendly, though unspoken 
competition between the two. Williamson also went to 
Cambridge—Trinity College, which boasted Newton among 
its alumni—then took some graduate work in topology at 


Liverpool University. One day he had an epiphany: if he did 
get his doctorate, he would be a math instructor all his life. 
He was currently teaching a class of engineers and was 
discouraged that none of his students could prove that the 
square root of 3 was irrational. “I couldn’t explain to them 
why they should care,” he says, “and I didn’t care that much 
myself. So I thought, ‘Why am I doing this?’ ” Around that 
time he saw an ad for mathematicians posted by GCHQ. 
Without knowing much about the agency, he replied, and 
found himself assigned to problems of cryptography. 


Williamson had not heard of the Ellis problem before, but 
it struck him as rather nonsensical. How could you do 
cryptography when you passed the key in the open? So he 
set about to shoot down the concept—to “disprove Cliff’s 
idea,” Williamson says. 


It was after dinner, in his room, that Williamson began his 
debunking effort. “You try to reduce a problem to very basic 
general kinds of concepts, just sort of probe it,” he explains. 
“I didn’t manage to prove that there were any flaws in what 
he had.” 


But in the process, Williamson began considering 
different ways that two collaborating parties could pass 
numbers back and forth to arrive at a key—a shared key 
that would be secure even if an eavesdropper (some evil 
Eve) was monitoring every bit of the exchange. It was late 
at night when he finally got it—eight or twelve hours after 
he sat down to think, he reckons—but eventually he had a 
scheme of his own. It involved a complex set of exchanges in 
which each party would pick a random number, perform a 
calculation on it by a difficult-to-reverse formula, and finally 
arrive at a shared key. That Williamson was legally 
forbidden to write it down while at home—for, of course, as 
soon as it sprang out of his head it was instantly a state 


secret—did not bother him. “When you’ve got a concept 
that is right, you can’t forget it,” he says. “Everything 
follows logically.” Still, as his friend Cocks later recalls 
wryly, the next morning was the first within memory that 
Williamson arrived at work early. 


Williamson says that one of the first people he told about 
his breakthrough was Ellis himself, whom he knew only 
slightly at that time. He doesn’t remember much of the 
conversation, but does recall that in the weeks that 
followed, “James made me see it more clearly.” Still, it is 
indicative of the project’s relative unimportance in GCHQ’s 
view of things that Williamson didn’t actually write up his 
work for a couple of months. (He finished his memo in 
January 1974; Cocks’s work had been dated November 
1973.) Not long after that, and after more conversations 
with Ellis, he came up with another idea that further 
streamlined the original concept. This is almost the precise 
formulation for what would later be known as the Diffie- 
Hellman key exchange. As far as Williamson is concerned, 
though, it was pretty much a consequence of the first paper, 
so obvious that he felt in no hurry to circulate it. “It’s 
slightly easier,” he says. “It really didn’t feel like such a big 
step.” 


Now GCHQ had not one but two means of implementing 
James Ellis’s heresy. But just as the agency had been 
suspicious of Ellis’s initial plan, it moved ultra-cautiously 
with these two schemes. “First of all, we wanted to make 
sure it was secure,” says Cocks. 


Oddly, one factor ruling against nonsecret encryption was 
the pure beauty of Cocks’s scheme and Williamson’s second 
implementation. “It’s enticing and nice,” says Williamson, 
“but elegance is not what we’ve looked for before in cipher 
systems. There’s a basic principle that neat and tidy 


problems have neat and tidy solutions, and messy problems 
don’t have neat and tidy solutions. Now, most of cipher 
design is essentially messy; it’s not neat and tidy and 
mathematical. So we’re pretty comfortable that people are 
not going to be able to break those things, because even if 
you hack away at it, you’re not going to suddenly find a little 
magic screw that if you unscrew it, everything falls to 
pieces. But in all this stuff with public key, there absolutely 
may be a magic screw. Some graduate student 
mathematician could really cause a disaster.” 


So concerned was GCHQ with this issue that it not only 
looked at the schemes internally—finding no inherent flaws 
—but also took the unusual step of going to a renowned 
outsider, professor R. F. Churchhouse, giving him the 
mathematics of Cocks’s idea and asking if it was secure. 
Churchhouse concluded that as long as no one figured out a 
fast way of factoring large numbers—something that no 
mathematician had ever come close to—the scheme was 
secure. 


The agency ultimately figured that of the two methods, 
Williamson’s was preferable because its particular functions 
were easier to work with than the huge numbers that came 
with Cocks’s multiplication-based scheme. Even so, the 
system was judged to be impractical. “The machines that 
would be used were expensive and very slow,” explains 
Cocks. “It took minutes to generate [a key]. We looked at 
the circumstances under which you would find it useful to 
have a machine that took that long to produce [keys] and 
immediately thought the applications were too limited to 
make it worth floating.” 


Inside GCHQ, the conventional wisdom had shifted from 
It’s impossible to It’s impractical. And too many people 
were still terrified by the method’s “nonsecret” aspect. 


Perhaps, went the thinking, such a radically new kind of 
cryptography might have weaknesses too subtle to detect, 
weaknesses that an enemy might use to break the system. 


Even Malcolm Williamson believed that the whole venture 
was too risky. When he finally wrote up the revised version 
of his key scheme, he cited these reservations as the reason 
for the two-year delay. “I find myself in an embarrassing 
position,” he wrote. “Having written [my first paper], I have 
come to doubt the whole theory of nonsecret encryption. 
The trouble is that I have no proof that the method ... is 
genuinely secure.” Later in the paper, however, he 
complains that “I feel that there should be a flaw in the 
security of the method. But I cannot find anything wrong 
with it and would be grateful if anyone else can.” 


No one did. But by then it had tacitly been concluded at 
GCHQ that it wasn’t worth the effort to implement a public 
key cryptosystem. 


In 1976, of course, Diffie and Hellman presented their 
findings, first in January (after circulating drafts informally 
even before that), then in their November revision, “New 
Directions in Cryptography.” This was followed in 1977 by 
the RSA paper. The authors won fame if not instant fortune. 
But by ethics and law, the GCHQ scientists could not let a 
word slip of the real truth. 


According to Cocks, James Ellis read the first paper, 
which outlined the idea but suggested no implementation, 
and said, “They’re where I was in 1969.” The Stanford 
team’s second paper, of course, did suggest a means of 
implementation—one identical to the Malcolm Williamson 
solution. (It is unclear whether the Diffie-Hellman papers 
led him to write up his second, “small step” in implementing 
it, but the paper is dated August 1976, some months after 


Diffie and Hellman’s first publication.) Cocks himself had 
temporarily left GCHQ for a stint at the ministry of defense, 
and first learned of the American discoveries in Martin 
Gardner’s column in mid-1977—the one that described the 
RSA algorithm that he had first discovered three years 
earlier. “I was surprised,” he says. 


Certainly by then, the British cryptographers were 
keeping track of their counterparts outside the shadow 
world. And later in 1977, it obviously caused them 
consternation when they learned that both Stanford 
University and MIT were, respectively, planning to patent 
the Diffie-Hellman and RSA algorithms—both of which were 
originally conceived at CESG. Williamson in particular was 
outraged. 


“T tried to get [GCHQ] to block the U.S. patent,” he says. 
“We could have done that, but in fact the people higher up 
didn’t want to. Patents are complicated.” Specifically there 
was a question as to whether one could obtain a patent 
under British law for what was essentially a mathematical 
algorithm. And of course, there were security issues. It 
wouldn’t do for the GCHQ to let outsiders know what its 
people were thinking. “The advice we received was ‘Don’t 
bother,’” says Cocks. Williamson, who still believes that his 
bosses erred in this case, recalls the chief scientist 
eventually coming to him and saying, “No, we’re not going 
to block the patent.” 


So the shadow world kept quiet. 


Thus, the timidity and isolation of what Ellis called the 
“closed community” led to a creative failure: despite its 
head start, it essentially ceded the public key idea to the 
outsiders who used it to build not only an alternative 


community, but also an entire industry. (The first product 
known to have used public key technology coming out of the 
NSA or GCHQ was the former’s STU-III secure telephone, 
which rolled out in 1987, long after the Diffie-Hellman 
paper was published. By then RSA Data Security was on its 
way toward offering easy-to-use crypto solutions.) 


Also, by shunting the idea of public key cryptography 
aside, the government people were unable to see some of 
the most important aspects of their own discovery. Chief 
among them was the idea that public key cryptography was 
as valuable for its ability to authenticate message senders 
(the digital signature aspect) as it was for its encryption 
properties. What’s more, in rejecting nonsecret encryption 
as impracticably slow, the agencies missed what turned out 
to be a simple solution to that problem: using the nonsecret 
algorithms in conjunction with conventional, symmetrical- 
key systems. Once Diffie and Hellman published their work, 
it didn’t take long for creative minds in the private sector to 
figure out that these “hybrid” systems were the future of 
privacy technologies. 


This was only one of the public key-based innovations that 
were to arise from the freewheeling exchanges that 
occurred in an atmosphere of openness. There would be 
digital cash (anonymous or traceable), secret sharing, 
digital certificates, digital time stamping, electronic 
receipts, remote gambling ... any number of amazing 
variations by academics, commercial scientists, and 
cypherpunks. As a result of these efforts, public key became 
ubiquitous, on every copy of Netscape and Lotus Notes, 
embedded in Windows and Macintosh, and, inevitably, in 
everyone’s wallet—with no thanks to the closed community 
and owing everything to the open one. 


Should GCHQ and its partners have worked harder to 
make the ideas viable? Could they have come up with some 
of those innovations? Perhaps. But while it’s easy to fault 
the intelligence community for not implementing their 
original ideas, there’s another side to the story. 


Looking at it from a national security point of view, 
prudence made sense. It was one thing to implement a 
totally new system in the private sector, where using any 
kind of crypto to secure data was a novelty in itself. But 
doing so for government secrets, where reliable systems 
were already providing protection in life-and-death 
situations, posed a different kind of risk. “The government 
has to be very cautious,” says Williamson. “It’s much more 
important to secure some of this stuff than, say, banking 
transactions or Internet communications, or what the next 
model Ford is going to look like. If I were on the top of the 
pyramid then, would I have dared to implement it? What 
was the chance that somebody would find that magic screw 
that unlocks everything?” 


Williamson also makes no apologies for the intelligence 
community’s failure to discovery any of the marvelous 
innovations that sprang from the original concept of the 
split-key system. GCHQ, the argument goes, was essentially 
a spy and security agency, and had no interest in developing 
the sort of technologies that would provide benefits to the 
public at large (even if the public does pay their salaries). 
“There’s a basic core of things the government has to do,” 
Williamson says, “and the rest is probably better done by 
private industry.” The only reason for the agency to keep 
working on the technologies was to see whether it could 
improve the sorts of activities that GCHQ was already 
performing. 


But by not exploiting nonsecret encryption, the 
intelligence people were quite possibly missing an 
important opportunity to do just that. In 1982, years after 
GCHQ had all the information it needed to implement a 
public key system, the British agency suffered one of its 
worst scandals when an employee named Geoffrey Prime 
sold crucial information to the Russians. During that 
general time period, the NSA also had huge security 
failures, in infamous cases involving the Walker family, and 
Christopher Boyce and Andrew Lee. These involved the 
transfer of invaluable key material that wouldn’t have 
existed in a public key system. It wasn’t really surprising 
that the agencies could be compromised in this manner— 
after all, the difficulty in protecting these keys was a well- 
identified problem. The problem, in fact, that James Ellis 
had set out to solve. 


So why hadn’t the agencies moved decisively in exploring 
nonsecret encryption-based alternatives to their systems? 
In the final reckoning, nonsecret encryption was too mucha 
departure from the norm. It was radical and risky— 
appealing traits to an entrepreneur but terrifying ones to a 
bureaucrat. “You’ve got to remember,” says Malcolm 
Williamson, “this is the civil service. I mean, this is 
something new and different. ‘Let’s ignore it. Let’s sweep it 
under the carpet.’ ” 


Do the GCHQ scientists feel shortchanged at seeing 
others win acclaim for what they originally discovered? 
They claim not to, and believe they also speak for James 
Ellis on this point. “Ellis got internal recognition,” says 
Cocks, who himself feels perfectly comfortable with the 
situation. “You accept that [when you work for GCHQ]. 
Internal recognition is all you get.” 


Williamson also rejects the idea that their silence was the 
raw end of a Faustian bargain cut when they entered the 
shadow world. To the contrary, he says that the 
disadvantaged ones are crypto people who don’t work for 
the government. “I sometimes wonder why people on the 
outside work on cryptography,” he says. “What’s their 
reason for it? Clearly, governments have good reason for 
this—they want to secure their own communications, they 
want to read communications of other countries. Those are 
important jobs. Who would want to sit in a university and do 
that sort of thing? It’s sort of like being a shipbuilder and 
insisting on living in Iowa.” (Williamson himself, after some 
years working in the private sector, is now an American 
citizen—and is back in the shadow world, working for a 
nonprofit think tank that does classified defense work.) 


But James Ellis apparently had thoughts of his place in 
posterity. “His career wasn’t going anywhere,” says Nick 
Patterson. “I would guess he was frustrated and viewed it 
as he did his previous disappointment with the radio 
invention.” In 1985, he wrote a paper specifically to set the 
general public straight on just who invented public key 
cryptography. In the opening paragraphs, he explains that 
while secrecy is utterly crucial in his business, there are 
circumstances when it can be put aside “in the interests of 
historical accuracy after it has been demonstrated clearly 
that no further benefit can be obtained from continued 
secrecy.” Given that, he continued, “it is now appropriate to 
tell the story.” 


Clearly, he hoped to establish his claim. The paper itself 
ends by emphasizing, for anyone thick enough to have 
missed the point, that it was “some time after the basic 
work was done” that Diffie and Hellman made what he 
called the rediscovery of the nonsecret encryption 
techniques. But if Ellis hoped that his account would quickly 


find its way outside the closed community, he was to be 
bitterly disappointed. Year after year went by and his 
attempt to set the record straight remained classified. His 
superiors felt it was not time yet. Nor was it time five years 
after he wrote it. Or ten years. 


So why did they finally allow the papers to see daylight in 
December 1997, twelve years after Ellis compiled the 
history and almost twenty years after a brainstorm that 
would shake cryptography itself? Cliff Cocks says that the 
impetus was a speech he was scheduled to give around that 
time, on a variation of what will always be called the RSA 
algorithm. But Malcolm Williamson is more frank on the 
issue. The papers were all ready to go, he says, but could 
not be published “until a certain person retired.” 


That retirement apparently occurred before December 
23, 1997, when GCHQ finally posted the original papers of 
Ellis, Cocks, and Williamson on its Web site, along with the 
“History of Non-Secret Encryption” that Ellis had written in 
1985. But the release came too late for Ellis. Barely a 
month before the world learned of his crowning 
achievement, James H. Ellis died. 


But not before he got to meet his counterpart in the 
“open community.” For years Whit Diffie had been 
wondering about rumors that public key cryptography had 
indeed been discovered by the spooks. In the late 1970s 
NSA director Bobby Inman made a point of informing 
cryptographer Gus Simmons, who was writing the 
cryptography entry for the Encyclopedia Britannica, that it 
was an NSA invention. Diffie once pressed NSA deputy 
director Howard Rosenblum on the matter and was 
surprised that Rosenblum referred him not to anyone 
behind the Triple Fence but to a British GCHQ engineer 
he’d never heard of. Without stating his motivation—he 


hoped it would be obvious—he called Ellis, who indicated he 
might also like a meeting. 


It was September 1982. Diffie had a trip planned to Paris, 
and his itinerary allowed a visit to Cheltenham. Diffie and 
his wife Mary Fischer left Paris to the sound of Gregorian 
chants blaring from every radio and television: it was the 
funeral of Princess Grace of Monaco. Diffie and Fischer flew 
to Heathrow and went to Salisbury for the weekend. Then 
he drove alone to Cheltenham. 


Ellis lived on the outskirts of town; from the back of the 
house the ground fell off steeply, and one had a beautiful 
view of the town below. He called it the Dilkusha House, 
which means “little delight” in Persian. In the backyard he 
raised bees. Ellis in his late fifties was a tall man, going 
gray. His wife was friendly; they had a daughter bound to 
attend the London School of Economics. After some small 
talk with Ellis’s wife, Diffie and Ellis headed to a pub. 


Diffie turned to Ellis as they pulled out of the driveway. 
“Tell me,” he said, “how you invented nonsecret 
encryption.” 


“Who says I did?” asked James Ellis. 
Diffie gave him the NSA official’s name. 


“Do you work for him?” asked Ellis. Diffie said no. He was 
not part of the closed community. 


After a bit more of this back-and-forth, Diffie realized that 
Ellis wasn’t going to talk about it. Indeed, Diffie would meet 
Ellis several times more, and while they would come closer 
to discussing the subject, Ellis would never really lay out 
the story of nonsecret encryption as clearly as he did in his 
papers. But the two scientists would become friends. 


Diffie’s wife, after getting to know Ellis, would come to see a 
clear connection between Ellis and her husband. “They’re 
both mystics,” says Mary Fischer. 


Who knows what was going through James Ellis’s head 
that day? He was a man who came across a revolutionary 
idea and lived to see others win fame for its reinvention; 
who took pains to write a paper outlining his contribution 
and waited, in vain, for it to be published in his lifetime; 
who saw his idea, when presented by others, not only 
flourish but create a new industry and a new community 
and a virtual transformation of the subject—so thorough a 
shift that even the shadow world would never be the same. 
But he could not, and would not, break the rules and share 
his secrets—not even to his private-sector doppelganger. 


Later at the pub, Ellis would get Diffie tipsy on hard cider 
while they spoke of anything but the matter that had drawn 
them together and permanently bound them. But before 
leaving the subject, Ellis couldn’t resist a tacit 
acknowledgment, one that spoke volumes about the world 
he lived in and the new world of cryptography that Diffie 
was helping to create. 


“You did more with it than we did,” said the father of 
nonsecret encryption to the father of public key 
cryptography. And thereafter kept his secret. 
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The core of this book is a series of personal interviews 
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period, I attended conferences, visited key sites, and 
performed my own version of Signals Intelligence, using the 
Internet’s vast resources to gather information. (Monitoring 
discussions on sci.crypt or cypher punks@toad.com was 
almost a full-time job.) Besides published texts, sources 
include government and court documents and memos, as 
well as corporate memos and reports. 


The Loner 


Besides personal interviews and communications, the Diffie 
material is supplemented by unpublished autobiographical 
notes, “Personal Memories on the Discovery of Public Key 
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glossary 


Capstone A National Security Agency-designed chip with capabilities for 
strong encryption and digital signatures, but with key escrow so 
authorities can read encrypted messages. 


Cipher Also known as a cryptographic algorithm, it is the mathematical 
function used to scramble and unscramble messages. 


Ciphertext The (presumably unreadable) state of a message after it has been 
encrypted. 


Clipper Chip The NSA-designed key escrow system earmarked for telephone 
devices. The tamperproof chip offered only the encryption and escrow 
features of the Capstone’s system. 


Communications Security (COMSEC) The practice of ensuring that codes 
are strong and well implemented. (This is half of the NSA’s mission, along 
with SIGINT.) 


Cryptanalysis Codebreaking—the black art of turning ciphertext back into 
plaintext without using the key. 


Cryptography The use of secret codes and ciphers. 


Cryptology The study and mathematics of secret codes and ciphers. 
Sometimes used interchangeably with cryptography. 


Cryptosystem A means of encrypting data and performing other 
cryptographic functions, often synonymous with the algorithm that 
performs the actual scrambling. 


Data Encryption Standard (DES) A cryptosystem developed by IBM, evolved 
from the earlier Lucifer. Though originally questioned by critics, this 
conventional cipher has proved secure, vulnerable only by what critics 
consider a weak provision for the length of its keys. 


Diffie-Hellman Key Exchange The algorithm devised by Whit Diffie and 
Marty Hellman that allows two people to generate a secret key in such a 
way that each will possess it, but an eavesdropper listening to the entire 
exchange won’t be able to construct it himself. 


Digital Signature Mathematically generated cryptographic data that 
undeniably identify a message with its sender. 


Digital Signature Algorithm (DSA) An algorithm, produced by the NSA, 
that the government endorsed as the Digital Signature Standard. It differs 
from the RSA signature scheme in that it does not encrypt information. 


Encryption The act of scrambling information (into ciphertext) so that 
intercepted messages cannot be read. 


Factoring The mathematical feat of taking a number produced by the 
multiplication of two smaller numbers and finding the original figures. 
This one-way function is the basis of the RSA algorithm. 


Hash Function A cryptographic means of compressing a message so that it 
provides a compact “fingerprint” of the original. 


IDEA A conventional cipher used by later versions of PGP, replacing the 
original “Bass-O-Matic.” 


Key The component of a cryptosystem that determines how the message will 
be scrambled. A key applied to a plaintext message becomes ciphertext; 
the same key (or in a public key system, a matching half of a key pair) will 
change it back. 


Key Escrow A shortcut, or trapdoor, intentionally built into cryptosystems that 
allows authorities to quickly decrypt messages, ostensibly without 
otherwise compromising security. 


Key Length The longer the key, the more difficult a cipher is to break by 
“brute force” (testing each different possibility until plaintext emerges). 
The range of all possible keys is called a keyspace. The amount of effort it 
takes to conduct a brute-force attack is the workfactor. 


Knapsack Early public key cryptosystem, devised by Ralph Merkle, and 
subsequently broken. 


Lucifer Conventional cryptosystem devised by Horst Feistel at IBM in the 
early 1970s. It was the basis for the 1975 Data Encryption Standard. 


One-Time Pad The only mathematically unbreakable form of cipher; unwieldy 
as it requires a key length as long as the message itself and can never be 
reused. 


One-Way Function A mathematical operation that is easy to calculate, but 
many times harder to reverse. A trapdoor one-way function has an 
additional feature in that someone with the proper information can 
reverse the calculation. 


Plaintext The original, preencrypted form of a message. 


Pretty Good Privacy (PGP) Phil Zimmermann’s popular home-grown public 
key cryptosystem, distributed for free on the Internet beginning in 1991. 


Private Key In a public key system, the private key is the component of the 
key pair that must be closely held: only by the use of it can one 
unscramble messages created by the holder’s public key and “sign” 
messages to verify that the holder actually sent them. 


Public Key The component of a key pair that allows others to send private 
messages to its holder. It is also used to verify digitial signatures. It can 
be widely distributed with no compromise in security. 


Public Key Cryptography The breakthrough system devised by Diffie and 
Hellman in 1975 that eschews symmetric keys for a key pair. 


Random Number Generator (RNG) A part of a computer-based 
cryptosystem that adds unpredictability to the way keys scramble the 
message. 


RC2, RC4 Conventional ciphers created by Ron Rivest (the RC stands for 
Rivest cipher). 


Remailer An Internet service that allows people to send electronic messages 
without revealing their identities. 


RSA Algorithm The most popular public key cryptosystem, devised by Rivest, 
Shamir, and Adleman in 1977. 


Signals Intelligence (SIGINT) The means of intercepting communications 
and, when necessary, breaking codes. 


Skipjack A strong conventional encryption cipher, produced by the NSA, that 
was at the heart of the Capstone and Clipper schemes. 


Symmetric Key Used in conventional cryptography, a single one of these is 
used by the sender of a message to scramble the text and by the receiver 
to unscramble it. 
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